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PREFACE 


This  report  describes  a  reliability  analysis  of  large 
(1,600  tons  and  over)  commercial  vessel  engine  room  automation 
systems.  The  work  was  performed  by  DOVAP  and  Associates  for 
Headquarters,  U.S.  Coast  Guard,  under  Contract  DTCG23-81-C20005 

U.S.  Coast  Guard  Technical  Monitors  were  Dr.  C.P.  Chuang 
and  LTJG  K. A.  Nugent,  USCG. 

The  authors  wish  to  express  their  gratitude  for  the 
excellent  cooperation  received  from  the  many  firms  and 
individuals  involved  in  this  study.  This  includes  the  ship 
owners,  operators,  and  crews,  and  the  automation  system 
manuf acturers ,  repair  firms,  and  hardware  suppliers.  In  all 
cases,  DOVAP ' s  requests  for  information  and  documentation  were 
granted. 

Members  of  the  DOVAP  study  team  were  C.E.  Davis,  W.C. 
Graham,  D.  Harris,  P.  Henmi,  J.  Medland,  P.  Nicholson,  Dr.  L. 
Phillipson,  G.  Resnick,  and  W.  Severson.  In  addition,  the 
authors  wish  to  acknowledge  the  efforts  of  M.  Jones,  K.  Parsons 
C.  Range,  and  M.  Csiszer  for  their  assistance  in  report 
preparation. 
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I. 


EXECUTIVE  SUMMARY 


This  report  documents  a  study  of  the  reliability  of  large 
(over  1,600  tons)  commercial  vessel  engine  room  automation  sys¬ 
tems.  The  overall  objective  of  the  study  was  to  provide  the 
U.S.  Coast  Guard  with  quantitative  and  qualitative  information 
tor  use  in  assessing  potential  relationships  between  engine 
room  automation  system  reliability  and  vessel  navigation  safety 
hazards . 

Task  I  of  this  study  consisted  of  a  search  and  review  of 
the  open  literature.  The  effort  focussed  on  marine  automation 
systems  and  their  reliability  and  maintainability  character¬ 
istics.  Over  250  documents  were  reviewed,  from  which  115  were 
deemed  applicable  to  the  study.  The  general  conclusions  reached 
from  the  literature  review  are  as  follows: 

a)  The  reliability  of  commercial  vessel 
automated  propulsion  systems  needs 
improvements ; 

b)  No  formal  reliability  efforts  related  to 
design  are  currently  applied  by  United 
States  manufacturers; 

c)  When  discussing  individual  problem 
areas,  most  papers  state  that  sensors 
are  problems  but  give  no  positive 
suggestions  for  improvement; 

d)  Components  are  selected  primarily  on  the 
basis  of  cost,  unless  component  provi¬ 
sions  are  specifically  stated  in  the 
design  criteria; 

e)  It  is  generally  agreed  that  automated 
propulsion  systems  for  commercial  ves¬ 
sels  should  be  better  supported  with 
improved  training,  improved  manuals  and 
documentation,  and  better  spares  and 
preventative  maintenance  programs; 

f)  Standard  environmental  criteria  needs  to 
be  defined  and; 

g)  A  commercial  vessel  failure  data  system 
needs  to  be  established. 


VI 


In  rev tewing  ail  literature  sources,  certain  subjects  were 
conspicuous  by  their  absence.  These  are: 

a)  No  formal  reliability  evaluations  of 
commercial  vessel  systems  were  reported. 

b)  No  cost  effectiveness  studies  of  current 
propulsion  systems  were  reported. 

The  major  part  of  Task  II  consisted  of  a  reliability  anal¬ 
ysis  of  three  typical  vessels.  These  included  two  steam  ves¬ 
sels,  and  one  diesel.  The  reliability  analysis  included  relia¬ 
bility  predictions,  failure  modes  and  effects  analyses  ( FMEA ) , 
criticality  analysis,  and  fault  tree  analyses.  For  the  failure 
rate  predictions,  five  categories  of  rates  were  generated. 

These  are: 

a)  Basic  failure  rates. 

b)  Failure  rates  which  would  be  experienced 
from  higher  ambient  temperatures. 

c)  Failure  rates  which  would  be  experienced 
with  better  quality  parts. 

d)  Failure  rates  which  would  be  encountered 
during  the  vessels*  premature  (or 
initial)  period. 

e)  Failure  rates  which  results  from  ideal 
maintenance  practices. 

The  overall  basic  failure  rate  predictions  for  the  auto¬ 
mated  engine  room  controls  for  the  three  ships  are  as  follows: 

Basic  Failure  Rate  Mean  Time 

(Failure  per  Hours)  Between  Failure 

Ship  A  (Steam)  .007988  125.2  hours 

Ship  3  (Steam)  .003622  276.1  hours 

Ship  C  (Diesel)  .001015  984.9  hours 

The  highest  predicted  failure  rate  for  the  three  systems 
evaluated  is  for  Ship  A,  which  averages  approximately  5.8  pre¬ 
dicted  failures  per  month.lt  is  predicted  that  Ship  B  will 
average  approximately  2.6  failures  per  month.  The  principal 
reason  for  the  difference  between  the  two  steam  vessels  is  that 
Ship  A's  automated  propulsion  system  is  mors  complex  than  Ship 


S's,  and  Ship  A  contains  a  great  deal  of  pneumatic  controls 
which  have  higher  failure  rates  than  electronic  controls.  Ship 
C  is  the  diesel  vessel  and  its  control  system  is  not  comparable 
to  those  of  the  steam  systems,  which  are  much  more  complicated. 


Reviews  of  historical  Navy  data  show  a  failure  rate  for 
their  automated  engine  room  control  systems  of  1.6  failures  per 
month.  It  was  predicted  that  the  commercial  vessel  failure 
rates  can  be  reduced  by  approximately  50  percent  through  a  com¬ 
prehensive  preventative  maintenance  program.  If  this  were  in¬ 
stituted  and  the  basic  failure  rates  were  reduced  by  half,  the 
expected  number  of  failures  per  month  for  Ship  B  would  then  be 
1.3.  This  prediction  of  1.3  failures  per  month  is  close  to  the 
1.6  failures  per  month  derived  from  the  Navy's  3M  data  system 
for  the  actual  occurrence  of  Navy  propulsion  system  failures. 
This  gives  a  relatively  good  correlation  to  the  predicted 
values,  since  the  Navy  does  have  a  comprehensive  preventative 
maintenance  program. 

The  predicted  effect  upon  the  system  failure  rates  due  to 
the  other  factors  are  as  follows: 

a)  Increasing  the  operating  temperature  from 
35  to  50  degrees  C.  would  increase  the 
basic  failure  rates  by  22  percent. 

b)  Improving  the  control  system  qualify  by 
using  military  grade  parts  would  de¬ 
crease  the  basic  failure  rates  by  53 
percent. 

c)  The  premature  failure  rates  during  the 
first  six  months  of  a  vessels  operation 
is  approximately  six  times  higher  than 
during  the  remainder  of  the  ships 
operational  life. 

The  predicted  number  of  failures  does  not  give  the  actual 
relationship  between  reliability  problems  and  potential  naviga¬ 
tion  safety  hazards.  In  order  to  better  evaluate  the  effects  of 
failures.  Failure  Modes  and  Effects  Analysis  (FMEA), 

Criticality  Analysis  and  Fault  Tree  Analysis  were  performed. 

In  performing  the  FMEA ' s  for  the  three  vessels,  each  part 
or  groups  of  parts  in  the  automated  control  systems  was 
analyzed  to  determine  its  failure  modes,  and  how  the  modes 
effect  the  subsystem  and  the  system.  The  results  of  the  FMEA 
was  then  used  in  the  quantitative  criticality  analysis  and  the 
fault  tree  analysis. 


Due  to  the  complexity  of  the  criticality  analysis  and  the 
fact  that  the  basic  results  would  be  the  same  for  Ships  A  and  B 
(the  steam  vessels),  only  Ship  B  was  used  for  the  quantitative 
computer  generated  criticality  analysis.  The  total  predicted 
failure  rate  for  Ship  8,  using  the  basic  rates,  was  0.003622 
failures  per  hour,  or  a  mean  time  between  failure  of  276.1 
hours.  Using  a  normal  cruising  time  of  710  hours,  the  expected 
number  of  failures  per  cruise  is  2.57.  This  data  was  analyzed 
using  a  computerized  technique,  and  Table  ES-1  shows  the  dis¬ 
tribution  of  the  2.57  failures  arranged  in  order  of  mission 
criticality.  These  are  predicted  frequencies  for  normal 
cruising . 

During  the  normal  cruising  period,  permanent  damage  to 
either  the  boiler  or  turbine  is  ranked  first  in  terms  of  criti¬ 
cality.  The  most  frequent  mission  effect  is  "small  performance 
degradation,"  which  accounts  for  23  percent  of  the  total  fail¬ 
ures.  Because  "small  performance  degradation"  is  rather  incon¬ 
sequential  during  normal  cruising,  the  mission  loss  probability 
is  computed  as  0.1.  Therefore,  even  though  the  classification 
of  the  mission  effect  of  “small  performance  degradation"  is 
highest  by  frequency,  because  of  the  low  mission  loss  proba¬ 
bility  it  is  ranked  fifth  in  terms  of  its  contribution  to 
mission  criticality. 

The  computer-generated  criticality  analysis  was  validated 
by  comparing  the  predicted  mission  effects  to  actual  historical 
data.  For  example,  the  expected  frequency  of  temporarily 
reduced  RPMs  was  predicted  to  be  0.29  per  cruise.  This  gives  an 
expected  rate  per  year  of  3.4.  This  compares  almost  exactly  to 
one  report  reviewed  during  Task  I  which  documents  41  ship-years 
of  history,  and  reports  a  slowdown  rate  of  3.3  per  ship-year. 

The  primary  conclusion  drawn  from  the  criticality  analysis 
is  that  the  majority  of  the  automated  propulsion  control  system 
failures  do  not  result  in  mission  critical  events  because  the 
systems  are  designed  with  sufficient  backup  and  alarms. 

Fault  Tree  analysis  was  performed  for  selected  undesirable 
events  for  all  three  ships.  The  fault  tree  analysis  proba¬ 
bilities  were  based  on  the  exponential  distribution  and  are 
computed  for  one  cruise  of  one-month  duration.  Each  probability 
of  occurrence  was  computed  twice,  once  with  the  probability  of 
manual  intervention  being  effective  90  percent  of  the  time  (or, 
noneffective  10  percent  of  the  time),  and  once  with  no  manual 
intervention.  Ncneffective  manual  intervention  could  be  due  to 
an  alarm  failure,  incorrect  action  taken  by  the  crew,  action 
not  timely  enough  to  prevent  problems,  etc.  The  results  of  the 
fault  tree  analysis  for  ships  A  and  B  are  summarized  in  Table 
ES-2 . 
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On*'  of  the  top  undesirable  events  is  unscheduued  turbine 
shutdown.  The  probability  that  Ship  A  will  experience  an  un¬ 
scheduled  turbine  shutdown  when  manual  intervention  is  90  per¬ 
cent  effective  during  a  cruise  is  predicted  to  be  0.1584;  the 
probability  for  Ship  8  is  0.1065.  This  amounts  to  approximately 
1.9  such  shutdowns  per  year  for  Ship  A  and  1.27  for  Ship  8.  The 
probabilities  increase  signif icantly  with  no  manua,.  interven¬ 
tion;  for  Ship  A  the  probability  increases  to  0.5186  and  for 
Ship  B  to  0.2861. 

As  a  comparison  to  actual  historical  data,  the  1.9  and 
1.27  predicted  stoppages  at  sea  are  relatively  close  to  those 
reported  in  a  document  that  summarizes  the  stoppage  history  of 
29  tankers.  This  paper  reports  an  average  stoppage  at  sea  rate 
of  one  per  ship  per  year. 

The  predicted  probability  of  explosion,  either  combustion 
or  steam,  is  0.0181  for  Ship  A  and  0.0189  for  Ship  B.  This 
amounts  to  an  estimated  mean  time  between  explosions  of  39,000 
hours  for  Ship  A  and  37,000  for  Ship  B.  As  a  comparison,  it  was 
estimated  from  two  sources  of  historical  data  that  explosions 
occur  once  every  36,000  hours  in  steam  systems.  Therefore,  the 
estimates  for  Ship  A  and  Ship  B  are  relatively  close  to  the 
estimates  generated  from  historical  analysis. 

The  probability  o£  the  top  undesirable  event  of  "loss  of 
speed/directional  control"  for  the  steam  vessels  becomes  incon¬ 
sequential  due  to  redundancy.  T>;e  likelihood  of  loss  of  the 
primary  throttle  control  mode,  with  a  probability  of  0.1682  per 
cruise,  is  relatively  high.  However,  double  redundancy  is  pro¬ 
vided  by  the  hand  pump  and  the  hand  wheels,  so  probability  of 
losing  all  control  modes  becomes  extremely  small. 

The  top  event  for  the  diesel  system  fault  tree  is  "vessel 
does  not  respond  as  commanded  due  to  engine  room  automation 
faults."  The  probability  of  this  top  event  is  0.072,  or  roughly 
0.9  occurrences  per  year. 

Based  on  the  predicted  values  and  the  data  from  the  liter¬ 
ature  search,  it  is  felt  that  the  automated  propulsion  systems 
analyzed  during  this  study  have  acceptable  levels  of  relia¬ 
bility  for  the  current  mode  of  operation.  However,  it  must  be 
noted  that  this  applies  to  the  conditions  considered  during  the 
study  analyses.  If  a  specific  vessel  spends  a  great  deal  of 
time  maneuvering  and  in  close  quarters,  the  reliability  of  the 
propulsion  automation  system  must  be  substantially  higher.  With 
the  current  level  of  technology,  the  reliability  of  commercial 
vessel  automated  propulsion  systems  could  be  magnitudes  higher. 
However,  most  increases  in  reliability  also  entail  increases  in 


cost ,  and  there  is  not  a  one-to-one  ratio  between  improvements 
in  reliability  and  relative  increases  in  cost.  As  increasingly 
higher  levels  of  reliability  are  sought,  the  ratio  of  cost  to 
reliability  increases.  Also,  increased  reliability  does  not 
necessarily  decrease  maintenance  costa.  On  the  contrary, 
increased  reliability  often  results  in  increased  complexity 
which  can  have  the  net  effect  of  increasing  maintenance  costs. 

In  order  to  optimize  reliability,  maintainability,  and 
costs  of  any  new  automated  propulsion  system,  it  is  recommended 
that  early  in  the  design  stage  all  requirements  of  proposed 
systems  be  predefined  and  cost  trade-offs  considered.  A  system 
specification  should  be  generated  jointly  by  the  control  system 
manufacturer,  the  shipyard,  and  the  owner/operator.  The  system 
specification  should  call-out  the  desired  levels  of  reliability 
for  critical  functions,  and  specify  how  the  desired  levels  are 
to  be  achieved.  The  system  specification  should  also  define  how 
the  system  is  to  be  supported  during  its  operational  life. 

In  the  area  of  opera tio.tal  support,  the  system  specifica¬ 
tion  should  specify  the  type  and  extent  of  training  required 
for  the  various  crew  members,  and  required  levels  of  manning. 

If  periods  of  unmanned  engine  room  operation  are  planned,  alarm 
provisions  should  be  adequate,  and  certain  critical  alarms 
should  be  redundant.  The  systems  specification  should  also  de¬ 
lineate  how  the  engine  room  is  to  be  manned  during  the  first  6 
months  of  operation  when'  failure  rates  could  be  up  to  six  times 
greater  than  during  the  steady  state  period  of  the  operational 
life.  Additionally,  the  system  specification  siould  contain 
provisions  for  minimizing  the  problems  incurred  during  this 
initial  period;  this  should  include  workmanship  requirements  to 
reduce  manufacturing- induced  problems,  and  through  requirements 
for  system  tests  to  be  conducted  at  the  shipyard  and  during 
sea  trials.  The  system  specifications  should  also  describe  in 
detail  the  preventative  maintenance  plan  that  will  be  applied 
during  the  operational  life  of  the  system,  including  how  com¬ 
ponents  which  are  subject  to  degradation  or  wearout  are  to  be 
periodically  replaced  or  overhauled. 

It  is  recommended  that  a  data  system  for  the  collection  of 
failure  related  information  be  established  in  order  to  reduce 
subjective  biases,  and  provide  objective  means  for  evaluating 
costs,  components  failure  rates,  maintenance  and  approaches, 
and  other  reliability- related  factors. 
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Qualified  Member  of  the  Engineering  Department 
Raytheon 

Research  and  Development 
Reliability  and  Maintainability 
Reliability  Centered  Maintenance 
Resistance  Temperature  Detector 

Shaft  Driven  Generator 

Superheated 

Shaft  Horsepower 

Society  of  Naval  Architects  and  Marine  Engineers 
Safety  of  Life  at  Sea 
Single  Pole  Double  Throw 
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SPST 

Single  Pole  Single  Tnrow 

SRC 

Slew  Rate  Controller 

ss 

Steamship 

s.w. 

Sait  Water 

TACH 

Tachometer 

TC 

Throttle  Control 

T.G. 

Turbo-Generator 

TT 

Turbine  Tanker 

ULCC 

Ulfcralarge  Crude  Carrier 

UMS 

Unattended  Machinery  Spaces 

USCG 

United  States  Coast  Guard 

VLCC 

Very  jUarge  Crude  Carrier 

Vlv 

Valve 

WET 

Environment  is  Wet 

XXIV 


I.  INTRODUCTION 


Due  to  the  rising  costs  of  labor,  fuel  and  insurance,  and 
to  the  need  for  higher  reliability  and  safety,  it  is  evident 
that  certain  types  of  automated  engine  room  controls  are  neces¬ 
sary  in  order  for  vessel  operations  to  maintain  a  competitive 
position  in  the  marine  industry.  The  problem  faced  by  ship 
owners/operators  is  to  determine  the  degree  to  which  automation 
should  be  employed,  and  the  type  of  equipment  that  should  be 
used  to  minimize  life  cycle  costs  and  maximize  reliability  and 
safety.  The  coast  Guard  also  is  concerned  since  unreliable 
automated  engine  room  systems  could  be  causes  or  major  contri¬ 
buting  factors  to  vessel  casualties.  Thus,  the  Coast  Guard  con¬ 
tracted  with  DOVAP  and  Associates  to  conduct  a  study  of  engine 
room  automation  systems.  The  overall  purpose  of  the  study  was 
to  evaluate  the  reliability  of  current  engine  room  control 
systems ,  and  to  provide  information  and  insights  as  to  how 
future  systems  could  be  improved. 


The  study  was  contractually  stipulated  to  evaluate  the 
reliability  of  automated  engine  rooms  for  commercial  vessels 
over  1600  tons.  The  automated  systems  to  be  evaluated  included 
combustion  control  systems,  feedwater  control,  flame  safeguard 
control,  burner  management,  throttle  control,  and  alarm 
systems.  Such  systems  were  evaluated  for  two  different  steam 
vessels.  In  addition,  the  automated  controls  were  evaluated  for 
one  diesel  vessel.’ 


Although  the  study  was  primarily  concerned  with  the  relia¬ 
bility  of  automated  engine  room  systems, <>  the  effect  of 
maintenance  was  also  to  be  considered,  as  was  the  human  inter¬ 
face  and  backup.  Besides  being  designed  to  replace  the  human 
element,  the  systems  perform  more  efficiently  than  the  human 
watchstander.  But  as  with  any  system,  there  is  no  such  thing  as 
a  perfectly  designed  system  which  always  functions  as  intended. 
Therefore,  the  human  interface  could  not  be  eliminated  from 
this  study. 


A.  STUDY  OBJECTIVE  AND  TASKS 


The  overall  objective  of  this  study  was  to  provide  the  U.S. 
Coast  Guard  with  quantitative  and  qualitative  information  for 
use  in  assessing  potential  relationships  between  engine  room 
automation  system  reliability  and  vessel  navigation  safety  haz¬ 
ards.  To  generate  this  information,  three  tasks  were  contrac¬ 
tually  stipulated.  Additional  guidance  from  the  Coast  Guard  was 
provided  at  two  workshops  held  at  Coast  Guard  Headquarters  upon 
completion  of  Task  I,  and  later  Task  II. 

Task  I  consisted  of  a  survey  of  the  open  literature.  The 
objective  of  the  literature  survey  was  to  review  all  published 
documents  related  to  the  reliability  of  automated  engine  room 
controls.  Over  250  documents  were  reviewed,  from  which  115  were 
deemed  applicable  to  the  study  in  some  manner. 

The  objective  of  Task  II  was  to  evaluate  the 
reliability  of  current,  operational  automated  engine  room 
controls.  Task  II  was  originally  structured  to  consist  of 
detailed  reliability  analyses  of  two  steam  vessels  and  two 
diesel  vessels.  Two  of  the  vessels  were  to  be  mechanical-based 
control  systems  and  two  were  to  be  computer-based.  DOVAP*  s 
first  effort  on  this  task  was  to  contact  a  number  of 
owner/operators,  shipyards,  and  automation  system  manufacturers 
in  order  to  compile  a  candidate  list  of  vessels  with  automated 
engine  rooms.  This  effort  revealed  that  there  were  no  currently 
operating,  large  U.S.  flag  vessels  with  computer-based  automated 
engine  rooms.  Task  II  was  then  restructured  to  consist  of 
evaluations  of  two  steam  vessels,  one  diesel  vessel,  and  a 
criticality  analysis  in  lieu  of  analysis  of  the  second  diesel 
vessel . 

The  detailed  analyses  of  the  three  vessels  included,  for 
each.  Failure  Modes  and  Effects  Analyses  (FMEA ) ,  •  reliability 
predictions,  and  fault  tree  analyses.  Three  major  objectives 
were  established  for  these  analyses  of  the  three  vessels.  The 
first  was  that  the  systems  evaluated  represent  different 
technological  approaches  but  current  state-of-the-art.  To  this 
end,  the  Coast  Guard  selected  the  particular  vessels  to  be 
analyzed  from  the  candidate  list  of  vessels  developed  by  DOVAP. 

The  second  major  objective  for  the  analysis  was  that  each 
system  be  evaluated  to  the  same  depth  of  detail.  To  accomplish 
this,  DOVAP  obtained  documentation  that  would  permit  analysis 
down  to  the  detailed  circuit  level  on  all  three  systems.  This 
documentation  consisted  of  circuit  schematics,  parts  lists, 
wiring  diagrams,  panel  layouts,  and  various  types  of  technical 


manuals. 


The  third  major  objective  for  the  analysis  was  to  establish 
reasonable  system  boundaries,  or,  in  other  words,  defining  where 
the  engine  room  control  system  “stopped*  and  other  ship  systems 
"began".  The  criteria  applied  in  defining  these  boundaries  was 
based  on  whether  or  not  the  vessel  would  be  fitted-out  with  the 
equipment  in  question  if  it  did  NOT  have  an  automated  control 
system.  Based  on  this  criteria,  support  systems  such  as  ship's 
electrical  power  and  control  air  were  deemed  not  a  part  of  the 
systems  to  be  evaluated  since  they  would  be  provided  on-board 
regardless  of  whether  the  engine  room  was  automated.  Other 
areas  ruled  out  by  this  criteria  are  atomizing  steam,  gland 
steam,  pumps  {fuel  pumps,  lube  oil  pumps,  etc.},  and  valves  not 
specifically  required  by  the  automated  controls. 


The  overall  objective  of  Task  III  was  to  translate  the 
results,  findings,  and  observations  of  Tasks  I  and  II  into  a 
baseline  of  reliability-related  information  suitable  for  use  by 
the  Coast  Guard  in  its  various  activities.  To  achieve  this 
overall  objective,  four  subtasks  were  established,  viz; 

a)  Delineation  cf  design  and  performance  criteria 
from  a  reliability  standpoint. 

b)  Performance  of  a  maintenance  analysis  of  ship  auto¬ 
mation  equipment,  and  identification  of  the  effect 
maintenance  can  have  in  improving  reliability. 

c)  Recommendation  of  guidelines  for  Coast  Guard  use  in 
the  following  areas: 

1)  Design  approval  of  engine  room  automation  systems. 

2 )  Accident  investigation  related  to  engine  room 
automation  system  failures. 

3 )  Period 

4)  Recommendation  of  the  desired  levels  of  formal 
training  and  experience  for  automated  engine  room 
crew  members. 


B. 


STUDY  APPROACH  AND  REPORT  ORGANIZATION 


In  the  following  paragraphs,  the  approaches  taken  to  the 
various  study  tasks  are  briefly  described.  These  approach  para¬ 
graphs  are  organized  below  according  to  the  report  section 
where  more  detailed  discussions  can  be  found. 


Section  II;  The  Fundamentals  of  Reliability: 

It  is  anticipated  that  some  readers  of  this  report  will 
have  had  little  or  no  experience  in  the  field  of  reliability. 
Therefore,  a  section  was  provided  giving  tutorial  discussions 
on  the  fundamentals  of  reliability.  For  the  sake  of  brevity, 
the  discussions  make  no  attempt  at  a  textbook  level  of 
coverage.  Rather,  they  briefly  describe  the  theoretical  basis 
of  reliability  and  some  of  the  more  commonly  applied 
reliability  practices. 


Section  III;  General  Discussion  of  Control  Systems: 

It  was  felt  that  some  readers  of  this  report  might  pos¬ 
sibly  not  be  acquainted  with  the  operation  of  engine  room  con¬ 
trol  systems.  A  section  was  therefore  provided  to  briefly 
discuss  those  operational  aspects. 


Section  IV;  Literature  Review: 

During  the  Task  I  literature  review,  approximately  250 
documents  were  initially  reviewed,  and  of  these  115  were 
selected  as  applicable.  The  approach  taken  in  the  selection  was 
to  review  all  documents  that  pertained  to  maritime  reliability, 
or  to  some  other  aspect  of  maritime  automation  that  could  con¬ 
ceivably  impact  reliability  (state-of-the-art,  maintenance 
practices,  operating  experience,  environmental  effects,  etc.) 
Summaries  of  the  applicable  documents  were  prepared,  and  acces¬ 
sing  codes  were  set-up.  Section  IV  of  this  report  summarizes 
the  results  of  this  effort,  and  Appendix  A  contains  the  docu¬ 
ment  summaries  and  accessing  codes. 


Section  V;  Control  Systems  Selected  for  Study: 


Considerable  effort  was  devoted  to  the  selection  of  the 
control  systems  that  would  be  investigated  during  t.he  study. 
DOVAP  generated  a  list  of  candidate  systems  based  on  the 
following  criteria: 

a)  The  vessel  must  have  an  automated 
propulsion  control  system. 

b)  The  candidate  vessel  should  have  been 
handed  over  to  the  owner/operator  within 
the  last  five  years.  This  was  to  ensure 
that  the  system  is  of  the  current 
state-of-the-art,  and  also  that  there  is 
substantial  operating  time  on  the 
vessel. 

c)  The  vessel  is  in  excess  of  1600  DWT. 

d)  The  vessel  has  been  operated  beyond  the 
various  warranty  periods. 

e)  The  vessel  .is  a  U.S.  flag. 

f)  The  control  system  is  produced  by  a  U.S. 
manufacturer. 

g)  Sufficient  documentation  on  the  vessel 
is  available  for  analysis  during  the 
study  period. 

From  the  candidate  lists,  the  Coast  Guard  made  the  final 
selection  of  the  systems  to  be  evaluated. 


Section  VI;  Failure  Rate  Predictions: 

Failure  rate  predictions  were  generated  for  the  three 
automated  engine  room  control  systems  under  investigation.  The 
approach  taken  in  generating  these  predictions  was  to  use  fail¬ 
ure  rates  from  established  sources.  In  many  cases  adjustment 
factors  had  to  be  developed  to  account  for  the  commercial 
engine  room  environment. 
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Section  VII;  FaiLure  Modes  and  Effects  Analysis  (FMEA): 

The  basic,  overall  approach  to  the  FMEA's  for  all  three 
ships  was  first  to  subdivide  the  hardware  into  realistic,  man¬ 
ageable  groupings.  At  the  "top  level,"  these  groupings  consti¬ 
tute  the  subsystems,  or  major  functional  areas. 

The  hardware  within  each  subsystem  was  then  further  sub¬ 
divided  by  examining  the  individual  hardware  elements. 

Groupings  were  established  based  on  the  subfunctions  performed. 
The  failure  modes  and  effects  for  each  part  or  group  of  parts 
was  then  determined. 


Section  VIII;  Fault  Tree  Analysis: 

Fault  tree  analyses  describe  analytically  the  undesired 
states  of  the  systems,  and  all  credible  ways  in  which  the 
undesired  events  can  occur. 

For  the  fault  trees  developed  during  this  study,  the  top 
undesirable  events  were  defined  in  the  Statement  of  Work.  Due 
to  the  basic  differences  between  diesel  and  steam  systems,  the 
top,  undesirable  units  are  somewhat  different  for  the  two  types 
of  systems. 

The  approach  to,  and  findings  of,  the  fault  tree  analyses 
are  described  in  detail  in  Section  VIII.  The  individual  fault 
trees  for  Ships  A,  B,  and  C,  respectively,  are  provided  in 
Appendices  B,  C,  and  D. 


Section  IX;  Criticality  Analysis: 

The  criticality  analysis  was  based  on  information  from  all 
other  analyses  as  well  as  on  information  obtained  by  DOVAP  per¬ 
sonnel  during  trips  aboard  the  two  steam  vessels.  Quantitative 
analyses  were  conducted  utilizing  this  information  in  order  to 
identify  and  evaluate  the  interactions,  relationships,  and  ram¬ 
ifications  that  can  impact  the  severity  of  failures.  This 
"severity,"  in  turn,  relates  to  the  end  effect  of  the  failure 
on  the  vessel. 

The  quantitative  criticality  analysis  focussed  on  identi¬ 
fying  the  various  "scenario"  factors  that  determine  whether  or 
not  a  potentially  critical  failure  effect  will  indeed  have  cri¬ 
tical  consequences.  Where  these  factors  and  their  various  ram¬ 
ifications  could  be  quantified,  they  were  included  in  the 


quantitative  analysis. 


Section  X;  Reliability  Design  and  Performance  Criteria: 

The  reliability  design  and  performance  criteria  were 
developed  as  a  subtask  of  Task  III.  During  this  effort  the  de¬ 
sign  and. performance  aspects  were  considered  from  the  stand¬ 
point  of  their  role  in  improving  reliability  and  reducing 
system  downtime. 

In  conducting  this  subtask,  DOVAP  evaluated  such  factors 
as  design  practices,  operational  characteristics,  quality  pro¬ 
vision,  etc.,  that  can  impact  the  reliability  of  engine  room 
automation  systems.  A  number  of  candidate  areas  for  improving 
the  probability/effect  of  engine  room  automation  system 
failures  were  identified  and  categorized.  These  areas  are  sup¬ 
ported  by  examples  taken  from  the  findings  and  observations  of 
Tasks  I  and  II,  and  from  information  obtained  from  firms 
specializing  in  the  repair  of  engine  room  automation  systems. 


Section  XI,*  Maintenance  Analysis: 

The  maintenance  analysis  which  was  performed  during  this 
study  on  the  components  of  automation  systems  was  not  of  the 
classical  logistics  support  analysis  type.  That  is,  because  of 
limitations  in  the  scope  of  work  and  undefined  maintenance  con¬ 
cepts  and  plans,  individual  components  were  not  evaluated  as 
part  of  a  total  integrated  program.  Frequency  and  depth  of  all 
maintenance  actions  in  many  cases  are  subjected  to.  trade-offs; 
however,  in  this  study  the  engine  room  maintenance ‘fcould  not  be 
optimized  because  only  a  portion  of  the  total  engine  room 
equipment  was  evaluated.  Although  the  automated  controls  are  a 
very  important  aspect  of  the  ship's  machinery,  they  require  a 
relatively  small  portion  of  the  overall  vessel's  preventative 
maintenance  efforts. 


Section  XII;  Miscellaneous  Study  Observations: 

During  the  course  of  the  study,  several  observations  were 
made  that  were  either  of  a  general  nature  or  not  specifically 
applicable  to  any  single  study  task.  These  observations  involve 
such  areas  as  technology  approach  to  engine  room  control  and 
various  design  aspects  that  can  impact  operational  procedures. 
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Section  XIII;  Guidelines  for  Coast  Guard  Use: 

As  part  of  Task  III,  the  Statement  of  Work  required  that 
DOVAP  develop  guidelines  for  use  by  the  Coast  Guard  in  the 
following  areas  of  its  activities: 

a)  Propulsion  automation  system  design 
approval . 

b)  Accident  investigations  related  to 
propulsion  automation  systems. 

c)  Inspections  and  test  of  propulsion 
automation  systems. 

d)  Crew  training  and  experience 
considerations . 


Section  XIV;  Conclusions  and  Recommendations: 

This  section  of  the  report  contain*  the  major  conclusions 
and  recommendations  from  all  individual  tasks  and  sub- tasks.  I 
also  tabulates  the  major  results  of  the  various  quantitative 
evaluations. 


IX.  THE  FUNDAMENTALS  OF  RELIABILITY 


DOVAP  expects  that  some  readers  of  this  report  will  have 
had  little  or  no  experience  in  the  field  of  reliability.  Hence, 
this  section  provides  tutorial  discussions  on  the  fundamentals 
of  reliability  go'-  that  subsequent  report  sections  can  be  more 
readily  understood  and  objectively  evaluated.  For  the  sake  of 
brevity,  the  discussions  make  no  attempt  at  a  textbook  level  of 
coverage.  Rather,  they  briefly  describe  the  theoretical  basis  of 
reliability  and  som^  of  the  more  commonly  applied  reliability 
practices. 


A.  THE  THEORETICAL  BASIS  OF  RELIABILITY 

The  term  "reliability"  means  different  things  to  different 
people.  To  some,  it  implies  an  intuitive  measure  of  equipment 
"worth"  or  "ruggedness";  to  others,  an  indication  of  dependabi¬ 
lity.  To  the  reliability  analyst,  it  implies  a  numerical  indi¬ 
cation  of  how  "failure  prone"  an  equipment  is  (or  is  not).  The 
theoretical  basis  for  such  numerical  indications  of  “failure 
proneness"  begins  with  the  bathtub  curve. 

This  Curve»  33  shown  below,  indicates  that  infant  mortality 
failures  occur  early  in  the  life  of  an  equipment,  and  that  after 
they  have  been  eliminated  during  the  de— bugging  process,  a  pe¬ 
riod  of  steady  state  operation  follows.  During  the  steady 
state,  failures  occur  at  their  lowest  rate.  At  the  onset  of 
equipment  wear-out,  the  number  of  failures  begins  to  increase, 
and  increases  steadily  as  the  aging  process  continues. 


Time 


The  Bathtub  Curve 
II-l 


The  statistical  implications  of  the  bathtub  curve  make  it  far 
more  than  simply  a  common  sense  observation  of  equipment  failure 
behavior.  The  major  implication,  which  is  the  foundation  of 
reliability  theory,  is  that  failure  probabilities  can  be  com¬ 
puted  statistically.  For  instance,  during  the  steady  state,  the 
failure  rate  (i.e.,  the  number  of  failures  occuring  in  a  given 
time  period!  does  not  increase  or  decrease.  Instead,  the  fail¬ 
ure  rate  is  constant  across  -all  incremental  "slices"  of  time 
during  the  steady  state.  Failures  are  also  random  during  the 
steady  state.  That  is,  they  are  not  due  to  any  known  cause, 
such  as  design  defects  (which  should  have  been  weeded  out  during 
de-bugging)  or  wearout.  To  the  statistician,  these  characteris¬ 
tics  indicate  that  the  failure  rate  conforms  to  the  statistical 
exponential  distribution.  By  applying  the  proper  mathematical 
formula  for  the  exponential  distribution,  the  success  probabi¬ 
lity,  that  is,  the  probability  of  no  failure  can  be  computed. 

This  formula,  which  involves  the  simplest  of  any  statisti¬ 
cal  distribution,  is: 

R  =  e”Xt 

where  R  is  the  numerical  reliability,  or  in  other  words,  the 
probability  that  the  equipment  will  not  fail.  The  failure  rate 
is  x  ,  e  is  the  Napierian  constant  (2.718...),  and  t  is  the  time 
period  of  interest. 

As  an  example,  assume  that  we  had  collected  failure  data  on 
a  certain  type  of  equipment,  and  thus  knew  that  it  failed,  on 
average,  three  times  every  10,000  hours.  Its  failure  rate  (X) 
would  be  3/10,000,  or,  3  x  10”  .  Assume  also  that  we  wish  to 
know  the  probability  that  the  equipment  will  not  fail  (i.e.,  the 
reliability)  in  a  1,000  hour  period.  Then, 

R  =  e-(3xl0  4)<1000)_  Q74  or  74% 

Therefore,  there  is  a  74  percent  chance  that  the  equipment  will 
not  fail  during  the  1,000  hour  period.  Conversely,  there  is  a 
26  percent  chance  that  it  will  fail.  (That  is,  there  is  a  100 
percent  chance  that  it  will  either  fail  or  not  fail,  and  100 
percent  minus  74  percent  is  26  percent. ) 

There  are,  of  course,  other  statistical  distributions  than 
the  exponential  distribution.  Failure  data,  including  failure 
rates,  have  been  collected  and  analyzed  for  electronic  equipment 
for  over  20  years  now,  and  this  has  resulted  in  general  agree¬ 
ment  that  the  exponential  distribution  "fits”  the  steady  state 
failure  characteristics  of  electronic  equipment.  There  are  some 
indications  that  the  failure  characteristics  of  mechanical 
equipment  follow  some  other  distribution.  But  for  simplicity 
and  lack  of  an  extensive  statistical  data  base  on  mechanical 
equipment  failures,  the  exponential  distribution  is  usually 
used. 


B.  THE  PROBABILISTIC  NATURE  OF  RELIABILITY  PREDICTIONS 

The  above  discussion  indicates  that  reliability  predictions 
are  probabilistic.  To  properly  interpret  reliability  predic¬ 
tions,  it  is  mandatory  that  their  probabilistic  nature  be  kept 
firmly  in  mind.  For  instance,  a  predicted  reliability  of  75 
percent  does  not  necessarily  mean  that,  for  a  relatively  small 
number  of  trials  or  tests,  75  percent  of  the  time  the  equipment 
will  not  fail.  This  can  be  seen  by  considering  that  in  a  coin 
toss,  there  is  a  50  percent  chance  of  heads  and  50  percent 
chance  of  tails.  This  does  not  mean  that  10  tosses  will  yield 
exactly  5  heads  and  5  tails.  Over  a  large  number  of  trials, 
however — say  1,000  or  10,000 — about  a  50-50  ratio  should  be 
observed.  Similarly,  over  a  large  number  of  trials  or  tests  of 
identical  equipment  during  the  time  period  of  interest,  the 
ratio  of  the  number  that  fail  to  the  number  that  do  not  fail 
should  conform  approximately  to  the  ratio  of  the  success- failure 
probabilities. 

Predicted  reliabilities  for  equipment  can  range  from  less 
than  1  percent  to  greater  than  99  percent,  depending  on  the 
equipment's  failure  rate  and  the  time  period  of  interest. 
Conversely,  the  probability  of  failure  can  range  from  over  99 
percent  to  less  than  1  percent.  In  interpreting  the 
"likelihoods’*  associated  with  such  percentages,  it  is  useful  to 
recall  that  a  50  percent  probability  indicates  that  the 
predicted  event-  is  equally  likely  or  unlikely.  That  is,  it  is 
likely  to  occur  about  half  the  time,  and  unlikely  to  occur  the 
other  half  of  the  time.  From  the  50  percent  point  upward,  the 
predicted  event  becomes  more  and  more  likely;  from  the  50  , 
percent  point  downward,  the  predicted  event  becomes  more  and 
more  unlikely. 


C.  FAILURE  RATES 

Reliability  predictions  can  obviously  be  no  more  accurate 
than  the  failure  rates  used  in  computing  them.  The  most  real¬ 
istic  equipment  failure  rate  is  one  obtained- from  field  data  on 
a  statistically  valid  sample  of  like  equipments  used  in  the  same 
environment.  Except  for  some  military  equipment,  such  a  failure 
rate  is  seldom  available  because  it  requires  failure  data  col¬ 
lected  on  many  similar  equipments  over  thousands  of  hours  of 
operating  time.  Equipment  failure  rates  generally  considered 
the  next  most  realistic,  and  the  ones  usually  used  in  practice, 
are  equipment  failure  rates  computed  from  the  failure  rates  of 
the  piece  parts  (i.e.,  transistors,  relays,  motors,  gears,  etc.) 
that  make  up  the  equipment.  There  are  several  standard  coropen- 
diums  of  piece  part  failure  rates  covering  a  statistically  valid 
sample.  MIL-Handbook  211  —  the  "bible"  for  electronic  piece  part 
failure  rates  —  reflects  data  on  millions  of  electronic  piece 
parts  collected  over  billions  of  operating  hours. 
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For  an  equipment  that  will  fail  if  any  one  of  its  piece 
parts  fail,  the  equipment  failure  rate  is  the  sum  of  the  piece 
part  failure  rates.  Most  "lower  level"  equipment  does  fail  in 
this  manner;  for  instance,  a  circuit  will  fail  if  one  of  its 
transistors  fails.  At  "higher  levels,"  some  part  failures  may 
not  cause  equipment  failures  (for  instance,  the  failure  might 
effect  only  that  portion  of  the  equipment  provided  for  trouble¬ 
shooting).  The  reliability  analyst  must  take  this  into  consi¬ 
deration.  This  is  usually  done  by  dividing  the  equipment  up 
into  its  lower  level  components,  and  then  treating  each  compo¬ 
nent  according  to  how  its  failures  effect  the  equipment. 

As  an  example,  consider  a  very  simple  piece  of  equipment 
that  is  made  up  of  three  identical  circuits.  Assume  that  it  has 
been  determined  that  failure  of  any  circuit  would  cause  failure 
of  the  equipment,  and  that  failure  of  any  piece  part  would  cause 
the  circuit  to  fail.  Also  assume  that  each  circuit  contains  two 
transistors  and  a  relay  and  that  their  failure  rates  are  as 
shown. 


PART  QUANTITY  FAILURE  RATE  PER  PIECE  PART 


Transistor 

2 

0.18 

failures  per 

million 

hours 

Relay 

1 

2.60 

failures  per 

million 

hours 

The 

failure  rate 

for  each 

of  the 

three  circuits  would 

be: 

(0. 

18  x  10~G)  +■ 

(0.18  x 

10“r')  + 

(2.60  x  I0“°) 

=  2.96 

x  10” 

(transistor)  (transistor)  (relay) 


The  failure  rate  for  the  equipment  would  be  the  sum  of  the 
failure  rates  for  the  three  circuits,  or, 

3(2.96  x  10-;5)  =  8.88  failures  per  million  hours. 

One  of  the  most  well  known  measures  of  reliability  is  MTBF 
(Mean  Time  Between  Failures).  MTBF  is  the  reciprocal  of  the 
failure  rate  (or  vice-versa).  So  in  this  example  the  MTBF 
would  be  1/(8. 88  x  10-'j),crr  112,613  hours. 


D.  RELIABILITY.  IMPLICATIONS  OF  TIME 

As  discussed  in  Section  II. A,  reliability  predictions  based 
on  the  exponential  distribution  are  computed  for  some  time  pe¬ 
riod  of  interest.  It  is  obvious  that  if  the  time  period  is 
short,  the  reliability  will  be  high  (or,  the  probability  of 
failure  will  be  low).  This  is  because  the  shorter  the  period, 
the  less  opportunity  for  random  failures  to  occur.  conversely, 
the  longer  the  period  the  more  opportunity  for  random  failures, 
and  the  predicted  reliabiity  will  be  lower. 
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To  illustrate,  consider  an  equipment  that  has  a  failure 
rate  of  50  failures  per  million  tours.  If  we  assume  it  operates 
40  hours  per  week,  the  following  reliabilities  can  be  computed: 

Reliability  for  1  Week: 

r  =  e  “(50  x  1(T6)(40  hours )  =  99<8% 

Reliability  for  1  Year: 

B  —(50  x  10”6)(40  hours  x  52  weeks) 

K  -  -e  -  90.1% 

Reliability  for  3  Years: 

R  _  -(50  x  10  ) (40  hours  x  52  weeks  x  3  years) 

*  73.2% 

The  failure  rate  used  in  this  example  <i.e.,  50  x  10~® )  is  in 
the  ballpark  range  for  many  types  of  electronic  "black  boxes." 
The  predictions  indicate  that  it  has  less  than  a  1  percent 
chance  of  failing  over  a  period  of  a  week,  or,  that  failure  is 
extremely  unlikely.  Over  a  period  of  a  year,  with  a  failure 
probability  of  about  10  percent,  failure  is  unlikely.  After  the 
equipment  has  been  in  operation  for  three  years,  however,  it  has 
about  a  27  percent  chance  of  failure,  implying  that  over  the 
3-year  period,  it  has  somewhere  between  a  one-out-of-four  to 
one-out-of- three  chance  of  failing. 


E.  RELIABILITY  IMPLICATIONS  OF  THE  NUMBER  OF  PARTS 

.  ‘2,  # 

It  is  common  sense  that  the  more  partB  there  are  in  an 

equipment,  the  greater  the  chance  that  one  of  them  will  fail. 
This  can  also  be  seen  by  considering  that  the  failure  rate  of  an 
equipment  is  the  sum  of  the  failure  rates  of  its  essential  piece 
parts. 

Integrated  circuits  typically  have  failure  rates  ranging 
from  0.05  to  0.1  failures  per  million  hours.  This  means  that 
for  a  single  integrated  circuit  to  have  even  a  10  percent  to  30 
percent  chance  of  failing,  it  would  have  to  operate  continuously 
for  over  2,000  years.  Most  equipments,  however,  have  at  least 
20  integrated  circuits,  and  a  subsystem  consisting  of  10  or  so 
equipments  can  have  more  than  500  integrated  circuits.  With 
this  amount  of  circuitry,  failure  is  likely  at  some  point  over  a 
1-year  period. 


F.  REDUNDANCY  AND  RELIABILITY  MODELLING 

In  the  discussions  above,  we  have  been  dealing  with  equip¬ 
ment  that  would  fail  if  any  of  its  piece  parts  failed.  There  are 
several  situations  where  this  would  not  be  the  case.  As  indi- 


cated  above,  for  instance,  the  equipment  would  not  necessarily 
fail  if  one  of  its  parts  provided  only  for  troubleshooting 
failed.  Another  case  would  involve  equipment  where  redundancy 
is  utilized. 

Assume,  for  instance,  that  an  equipment  contains  a  "black 
box  A,"  and  that  for  the  equipment  to  remain  operable,  black  box 
A  must  remain  operable.  Now,  if  two  identical  "black  boxes  A" 
were  provided,  the  equipment  would  remain  operable  if  either  one 
of  the  redundant  "black  boxes  A"  remained  operable. 

In  order  to  compute  the  probability  that  a  redundant  con¬ 
figuration  is  operable,  the  probabilities  that  the  individual 
redundant  items  are  operable  must  be  considered.  This  is  done 
according  to  the  rules  of  Boolean  algebra. 

In  our  example  involving  two  "black  boxes  A, "  call  them  A^ 
and  A2,  a  truth  table  can  be  developed.  In  the  table,  an  entry 
of  0  indicates  the  hardware  has  failed  (is  non-operable),  and  an 
entry  of  1  indicates  that  it  is  operable.  For  A^  and  A2,  there 
will  be  4  possible  states — both  operable,  A^  operable  and  A2 
non-operable,  etc.  For  each  of  these  possible  states,  the 
equipment  will  be  operable  {an  entry  of  1)  if  Aj  or  A2  is  oper¬ 
able.  The  truth  table  depicting  these  states  is  as  follows: 

Ai  Ap  Equipment 


11  1  State  1 

10  1  State  2 

01  1  State  3 

00  0  State  4 

The  probability  that  the  equipment  is  operable,  that  is,  its 
reliability  R  ,  can  be  obtained  by  properly  combining  the  pro¬ 
abilities  that  A3/A2  are  operable  (RA  1,  RA  5)  •  In  Boolean  terms, 
where  indicates  the  logical  "or",  tThe  logical  "and",  and 

the  bar  the  logical  "not",  the  expression  for  our  example  is: 


State 


•  RA2J  +  <RAi  •  RA2j  +  <RAi  *RA25 
te  1  State  2  State  3 


In  the  above  expression,  the  ”R.  ' s"  indicate  that  a  particular 
black  box  is  not  operable.  This  is  equivalent  to  one  minus  the 
probability  that  it  is  operable  (since  the  probability  that  it 
is  operable  plus  the  probability  that  it  is  not  operable  equals 
100  percent).  Thus, 


RAi  *  1  -  RAl 
and  «  1  -  ra. 


Substituting  these  in  the  above  expression  yields: 

rE  -  •  Rijl  +  (  eAi<1  -  rS2)  *  n  .  RSimfl2) 

Since  we  have  defined  the  two  black  boxes  as  identical,  their 
reliabilities  will  also  be  identical.  In  other  words, 

Ra^  *  ®A2* 

By  referring  to  these  simply  as  RA,  substituting  this  into  the 
Boolean  expression  yields: 

*E  *  RA2  +  2fRA(l-HA)) 

Further  ordinary  algebraic  simplification  yields: 

Re  »  2RA  ~  ^A2 

It  might  be  wondered  why  it  would  not  be  correct,  and  far  simp¬ 
ler,  to  express  the  probability  that  the  equiy'ient  was  operable 
as  simply  the  probability  that  either  of  its  black  boxes  were 
operable,  or, 

-  hAi  +  rA2  -  2ra 

The  reason  is  that  this  will  not  cover  all  the  probability, 
whereas  the  state  table  approach  does.  That  is,  if  the  proba¬ 
bilities  for  all  4  states  in  the  above  table  ::ere  summed,  they 
would  yield  100  percent.  In  other  words,  there  is  100  percent 
probability  that  the  equipment  will  be  one  of  the  four  states 
identified. 

To  obtain  a  numerical  indication  for  this,  assume  that  the 
black  box  reliability  is  80  percent.  According  to  the  expres¬ 
sion  developed  from  the  state  table, 

rE  *  2(.8Q)  -  (.80)^  *  0.96,  or,  96% 

If  we  had  used  the  expression  RE  31  2Ra,  we  would  have  computed 
an  Re  of  1.6,  or  160  percent,  which  is  a  meaningless  probabi¬ 
lity.  That  is,  the  probability  of  some  occurrence  can  never  be 
greater  than  100  percent. 

This  example  of  using  a  truth  table  and  combining  probabi¬ 
lities  according  to  Boolean  logic  is  known  as  reliability 
modelling .  Theoretically,  the  reliability  of  any  system  can  be 
modelled  in  this  manner.  In  practice,  truth  tables  can  rapidly 
become  too  lengthy  to  handle  <e.g.,  truth  tables  covering  three 
"black  boxes*  would  contain  8  states,  those  for  four  "black 
boxes"  16  states,  etc.).  For  this  reason,  shorthand  approaches 
have  been  developed.  The  one  most  widely  utilized  is  the  reli¬ 
ability  block  diagram  approach . 


In  the  block  diagram  approach  to  reliability  modelling,  the 
success  paths  are  depicted.  In  the  example  of  the  redundancy 
above,  the  block  diagram  would  be: 


This  indicates  that  the  success  path  from  start  to  end  can  be 
either  via  or  A2*  When  such  a  success  path  appears  on  a 
block  diagram,  the  analyst  knows  to  compute  its  numerical  re¬ 
liability  from  the  expression  developed  from  the  truth  table 
above,  namely,  2R a  -  Ra2*  This  equation,  as  well  as  those  for 
many  other  block  diagram  configurations,  are  available  in  all 
standard  reliability  textbooks  and  handbooks,  including 
MIL- Handbook  217. 


G.  RELIABILITY  BLOCK  DIAGRAMS 

As  can  be  seen  from  the  above  discussion,  in  order  to  fa¬ 
cilitate  the  computation  of  the  reliability  of  an  equipment,  its 
reliability  block  diagram  should  first  be  developed.  In  other 
words  the  success  oaths  should  be  depicted.  This,  in  turn, 
requires  that  the  "success"  of  the  equipment  be  defined  in  terms 
of  the  "success-failure"  of  each  of  the  "black-boxes." 

As  an  example  of  the  process,  assume  we  have  an  equipment 
composed  of  two  "Black  Boxes  A"  in  the  redundant  configuration 
discussed  above.  Assume  also  that  there  is  one  "Black  Box  B", 
and  that  it  must  be  operable  for  the  equipment  to  be  operable. 
Further,  assume  there  are  three  identical  "Black  Boxes  C,"  and 
that  the  equipment  will  remain  operable  as  long  as  any  one  of 
the  three  is  operable.  The  block  diagram  for  this  equipment 
would  be  as  follows: 


From  this  diagram,  the  success  path  can  be  seen  to  be: 
a)  Either  or  operable,  and 


b)  £  operable,  and 

c>  Either  C^,  Cg  or  C3  operable. 

Because  of  their  "parallel"  relationship  in  the  block  diagram,  Aj 
and  Aj  are  said  to  be  in  parallel  in  reliability  terminology. 
Similarly,  Bo*  B  is  in  series  in  the  reliability  sense.  Cj,  Q%, 
and  C3  form  another  parallel  arrangement  and  are  referred  to  as 
a  1  out  of  3  parallel  configuration. 

Cor muting  the  reliability  of  the  equipment,  that  is,  com¬ 
puting  the  probability  that  it  is  operable,  involves  computing 
the  probability  that  a  success  path  exists. 

For  the  A1-A2  parallel  redundancy,  we  know  either  from  the 
equation  developed  from  the  truth  table  above  or  from  a  handbook 
that  the  reliability  (i.e. ,  the  probability  of  a  success  path) 
is: 


2RA  -  RA2 

Since  Box  B  is  in  series,  the  probability  of  a  success  path  is 
simply  the  probability  that  it  is  operable,  or  in  other  words, 
its  reliability,  Rg. 

For  the  1  out  of  3  parallel  configuration,  the 
probability  that  a  success  path  exists  can  either  be  derived 
from  a  truth  table  or  obtained  from  a  handbook  and  is: 


Rc3  -  3Rc2  +  3RC 


The  probability  that  the  equipment  is  operable,  or  its  relia¬ 
bility  Rg,  is  the  probability  that  a  success  path  exists  from 
"start"  to  "end"  in  the  reliability  block  diagram.  From  the 
individual  success  probabilities  above,  this  can  be  seen  to  be: 

"e  *  <2ra  -  ra2ubb)<!,c3  -  3Bc2  t3V 

R  can  be  computed  by  obtaining  failure  rates  for  the  "black 
boxes”  so  that  values  can  be  obtained  for  R^,  R»,  and  R^ .  The 
overall  objective  of  reliability  modelling  and  block  diagram¬ 
ming,  however,  does  not  consist  solely  of  obtaining  "numbers." 
Insights  more  valuable  than  numerical  results  can  often  be 
gained,  especially  with  complex  systems  where  reliability  rela¬ 
tionships  would  remain  obscure  without  modelling.  For  instance, 
in  the  example  above,  it  can  be  seen  that  Box  B  governs  the 
reliability  of  the  equipment.  The  numerical  reliability  of  the 
equipment  can  never  exceed  the  numerical  reliability  of  Box  B, 
therefore,  reliability  improvement  efforts  should  focus  on  Box 
B. 


H.  RELIABILITY  IMPLICATIONS  OF  PART  FAILURE  RATES 

Over  the  past  two  decades,  many  thousands  of  man-hours  have 
been  spent  analyzing  electronic  part  failures  and  failure 
rates.  Through  these  efforts,  an  extensive  body  of  information 
has  been  acquired;  the  primary  reference  source  for  this  infor¬ 
mation  is  MIL-Handbook  217. 

Failures  and  failure  rates  for  non-electronic  parts  (me¬ 
chanical,  pneumatic,  electrical,  etc.)  have  received  consider¬ 
able,  though  less  extensive,  analysis.  Thus,  in  general,  less 
data  is  available  on  failure  rates  for  non-electronic  than  for 
electronic  parts.  Also,  while  little  numerical  data  is  avail¬ 
able  on  failure  rate  contributing  factors  for  non-electronic 
parts,  a  significant  amount  exists  for  electronic  parts.  Though 
this  numerical  data  on  failure  rate  contributing  factors  for 
non-electronic  parts  is  scarce,  there  is  general  agreement  that 
the  same  basic  factors  contribute  to  failures  in  both  electronic 
and  non-electronic  parts.  For  electronic  parts,  these 
factors — together  with  their  numerical  values  for  various  con¬ 
ditions — are  given  in  MIL-Handbook  217. 

Probably  the  most  important  implication  of  these  failure 
rate  contributing  factors  is  that  "improving"  the  factors  will 
improve  the  failure  rate.  This  can  be  seen  by  considering  the 
method  of  determining  a  part  failure  rate  from  MIL-Handbook  217. 

In  this  handbook,  part  failure  rates  are  given  in  the  form 
of  a  base  failure  rate  multiplied  by  modifying,  or  K-factors. 
That  TsT” 


Xp  *  Xjj«  nkl*  nk2  .  .  . 
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where  is  the  failure  rate  for  the  specific  part  under  consi¬ 
deration  (for  instance,  a  PNP  power  transistor).  \b  is  the  .base 
failure  rate  for  the  generic  category  of  parts  (for  instance, 

PNP  transistors).  To  obtain  the  part  failure  rate  (Xp),  the 
generic  base  failure  rate  (Xb)  is  multiplied  by  the  appropriate 
K-factors.  These  K-factors  reflect  failure  rate  contributing 
factors  that  impact  the  base  failure  rate  multiplicatively . 

That  is,  they  increase  or  decrease  the  base  failure  by  some 
multiple.  The  base  failure  rate,  Xb ,  also  reflects  failure  rate 
contributing  factors,  but  rather  than  being  direct  multiples, 
these  contributing  factors  impact  the  failure  rate  exponen¬ 
tially.  To  illustrate,  the  part  failure  rate  for  a  silicon  PNP 
power  transistor  is  developed  below. 

The  MIL- handbook  217  expression  for  transistor  failure 
rates  is: 


Xp  *  xbUE  nAnQ  nRnS2  nc) 

For  transistors,  ^b  is  a  function  of  junction  temperature  and 
the  ratio  of  applied  to  rated  power.  Therefore,  junction  tem¬ 
perature  and  this  power  ratio  are  contributing  factors  to  the 
failure  rate,  and  as  indicated  above,  the  relationship  is  expo¬ 
nential.  The  lower  the  value  of  these  factors,  the  lower,  or 
"better",  the  failure  rate.  A  transistor  that  has  been  de- rated 
30  that  the  ratio  of  applied  power  to  rated  power  is  30  percent, 
and  that  is  operating  at  a  junction  temperature  of  70°  C,  has  a 
base  failure  rate  of  0.0023  x  1CT6  .  If  the  power  stress  ratio 
(i.e.,  the  ratio  of  applied  to  rated  power)  is  60  percent,  and 
the  junction  temperature  is  80°  C,  the  base  failure  rate  for  the 
same  device  is  0.0077  x  10”6  ,  or  over  three  times  the  base 
failure  rate  for  benign  conditions. 

In  the  failure  rate  equation  above,  nE  is  a  K-factor  that 
accounts  for*  the  part's  operating  environment.  For  a  "ground 
benign"  environment,  i.e.,  the  typical  environment  within  a 
building,  has  a  value  of  1.0.  For  the  '■'naval  sheltered" 
environment,  i.e.,  on  shipboard  but  not  on  on-deck  or  exposed  to 
the  elements,  nE  has  a  value  of  9.8.  For  the  "naval  unshel¬ 
tered"  environment,  is  21.0. 

The  factor  in  the  failure  rate  equation  is  an  applica¬ 
tion  factor,  and  accounts  for  the  way  the  part  is  used.  If  the 
part  is  used  in  a  "switching"  application  (as  in  logic  cir¬ 
cuitry),  11  a  has  a  value  of  0.7.  If  the  part  is  used  in  a  "li¬ 
near"  application  (as  in  analog  or  power  ci rcuitry ) , n A  is  1.5. 

The  next  factor,  nQ  — the  quality  factor — represents  a 
failure  rate  contributing  factor  that  offers  significant  possi¬ 
bilities  for  failure  rate  improvement.  It  is  a  function  of  the 
level  of  quality  control  applied  by  the  part  manufacturer.  For 
transistors,  nQ  for  the  lowest  quality  level  is  12.0.  This 
level  covers  plastic  encapsulated,  commercial  parts  which  are 
subjected  to  the  fewest  quaitity  control  measures,  and  are  sold 
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essentially  as  they  come  off  the  assembly  line.  For  the  next 
lowest  quality  level,  nQ  is  6.0.  Quality  control  measures  at 
this  level  include  use  of  better  materials  (non-plastic),  and 
some  checking  and  screening  after  the  parts  cOme  off  the  line.' 
For  the  highest  quality  level,  which  includes  stringent  mate¬ 
rials  and  manufacturing  controls,  screening  and  burn-in,  nQ  is 
0.12.  Thus  the  transistor  failure  rate  can  vary  from  0.12  to 
12,  or,  a  factor  of  100,  depending  on  the  part's  quality  level. 

The  nR  factor  in  the  failure  rate  equation  above  accounts 
for  the  power  rating  of  the  transistor.  It  ranges  from  a  low 
value  of  1.0  for  transistors  rated  at  1  watt  or  less,  to  a  high 
of  5.0  at  ratings  of  50  watts  and  above. 

nS2  is  the  voltage  stress  factor,  and  is  the  ratio  of  ap¬ 
plied  to  rated  voltage.  For  ratios  of  50  percent  (i.e,  the 
applied  voltage  is  half  the  rated  voltage),  ^S2  has  a  value  of 
0.65.  For  a  ratio  of  100  percent,  a92  is  3.0,  which  implies 
over  a  three-fold  increase  in  the  part  failure  rate. 

nC  is  the  complexity  factor,  and  relects  how  the  transistor 
is  interconnected  within  its  package.  For  a  single  transistor 
in  a  TO- 5  can,  nc  is  1.0;  for  a  dual  transistor  in  a  Darlington 
configuration,  nc  is  0.8. 

The  table  below  depicts  how  the  part  failure  rate  can  vary 
for  the  same  transistor  for  the  same  application.  "Low"  and 
"high"  values  were  used  only  for  those  factors  within  the  de¬ 
signer's  control.  For  instance,  the  value  of  nE  is  for  the 
naval  sheltered  environment  in  both  cases  because  the  designer 
generally  cannot  change  the  operating  environment  of  the  equip¬ 
ment. 

As  can  be  seen  from  the  table,  the  part  failure  rate  for 
the  transistor  can  be  improved  over  150-fold  through  factors 
within  the  designer's  control.  Similar  failure  rate  improve¬ 
ments  are  possible  with  other  types  of  part3.  For  electronic 
parts,  MIL-Handbook  217  can  be  consulted  to  identify  the  appli¬ 
cable  factors.  This  handbook  is  periodically  revised,  and  the 
current  version  is  MIL-Handbook  217 D.  For  non-electronic  parts, 
the  rationale  is  the  same  even  though  specific  data  are  scarce. 
That  is,  failure  rate  improvements  can  be  gained  through 
de-rating,  improved  quality  control,  improved  operating  envi¬ 
ronment,  etc. 
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Table  II-l 
Part  Failure  Rate 


Failure  Rate 
Parameter 


(base  failure 
rate) 


n_  (environmental 
factor ) 

nA  (application 
factor ) 

rtg  (quality  factor; 


(power  rating 
factor ) 


nS'7  (voltage  stress 
2  factor) 

n  (complexity 
factor ) 


Xp  (part  failure 
rate ) 


I.  FAILURE  MOOES  AND  EFFECTS  ANALYSIS 

One  of  the  most  important  "tools  of  the  trade"  of  the  re 
liability  engineer  is  the  Failure  Modes  and  Effects 
Analysis — FMEA .  or  the  Failure  Modes,  Effects  and  Criticality 
Analysis — FMECA.  Through  this  analytical  approach,  possible 
failure  inodes  are  identified,  then  their  effects  are  determined 
Usually,  the  criticality  of  the  failure  effects  is  also  deter¬ 
mined. 

In  performing  an  FMEA  or  FMECA,  the  level  to  which  the 
analysis  will  be  conducted  is  first  established.  Depending  on 
the  circumstances,  this  can  be  to  the  part  level  (e.g.,  tran¬ 
sistor,  NAND  gate,  solenoid  valve,  limit  switch,  etc.),  to  the 
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"circuit"  level  (e.g.,  flip-flop,  amplifier,  servo- loop,  etc.), 
or  in  complex  systems,  to  the  "black  box"  level  (e.g. ,  commu¬ 
nications  receiver,  computer  memory  module,  hydraulics  assembly, 
etc.).  Obviously,  the  "lower"  the  level  considered — e.g.,  the 
part  level  or  "circuit"  level — the  more  detailed  the  information 
produced  concerning  how  the  equipment  will  behave  under  poten¬ 
tial  failure  conditions. 

The  various  hardware  "elements"  are  then  considered  indi¬ 
vidually,  For  each  element,  possible  failure  modes  are  identi¬ 
fied.  For  instance,  for  diodes  possible  failure  modes  include 
fail-open  and  fail-short;  for  NAND  gates,  fail-high  and 
fail-low,  etc.  The  failure  effect  is  then  determined  for  each 
failure  mode.  This  is  usually  done  at  two  levels,  the  subsystem 
or  "component"  level,  and  the  system  level. 

The  subsystem  failure  effect  if  a  particular  diode  failed 
open,  for  instance,  could  be  that  a  certain  signal  would  never 
"go  active,"  in  turn,  preventing  some  particular  device  from 
ever  being  actuated.  The  system  failure  effect,  then,  would  be 
the  effect  on  system  operation  if  this  device  could  not  be  ac¬ 
tuated —  for  instance,  "astern  valve  could  not  be  opened,  causing 
loss  of  ability  to  go  astern." 

Criticality  can  then  be  evaluated,  and  of  particular  sig¬ 
nificance,  the  specific  parts  or  "elements"  which  can  cause 
critical  failure  effects  can  be  identified.  Through  this  iden¬ 
tification,  critical  failure  effects  can  be  eliminated  through 
alternate  design  approaches  ,  or  their  likelihood  can  be  reduced 
through  reliability  improvement,  for  instance,  by  improving  the 
failure  rates  of  the  parts. 


11-14 


III.  GENERAL  DISCUSSION  OF  CONTROL  SYSTEMS 


Modern  automated  propulsion  control  systems  are  designed 
to  replace  the  watchstander  and  such  human  senses  as  sight, 
sound,  touch,  smell,  etc..  Besides  being  designed  to  replace 

the  human  element,  the  systems  -  if  designed  and  functioning 

properly  —-will  perform  more  efficiently  than  the  human  watch¬ 
stander.  But  as  with  any  system,  there  is  no  such  thing  as  a 
perfectly  designed  system  which  always  functions  as  intended. 
Therefore,  the  human  interface  cannot  be  entirely  eliminated. 
With  proper  design  and  due  consideration  for  reliability  and 
maintainability,  the  human  interface  can  be  minimized  but  never 
eliminated. 

In  the  subsections  which  follow,  the  general  aspects  and 
design  functions  of  automated  propulsion  control  systems  are 
described.  The  functions  discussed  can  be  seen  to  be  those  that 
either  replace  a  function  once  performed  manually,  or  provide 
some  type  of  interface  function  between  the  equipment  being 
controlled  and  the  watchstander. 


A.  STEAM  TURBINE  CONTROL  SYSTEMS 

Automated  propulsion  controls  for  steam  vessels  can  be 
broken  into  three  major  categories:  boiler  control,  turbine 
control,  and  auxiliary  control.  Within  each  category,  a  number 
of  functions  are  performed. 


A. (1)  Boiler  Control 

Boiler  controls  generally  include  safety  shutoff  provi¬ 
sions,  equipment  for  ignition  sequencing  and  proving,  control 
loops  for  combustion  control  parameters,  programming  for 
start-up  and  shutdown,  and  sensing  provisions  for  such  abnormal 
conditions  as  flame  failure.  The  control  system  senses  and 
makes  the  boiler  respond  to  changes  in  steam  demand  and  it  trips 
the  boiler  when  an  unsafe  condition  arises. 

The  following  are  the  subsystems  usually  found  within  the 
boiler  control  system.  The  function  of  these  subsystems  to¬ 
gether  with  how  the  subsystems  interact  with  each  other,  is 
described  in  general  terms. 


A. (l)(a)  Condensate  Control  System 

The  condensate  control  system  provides  the  low  pressure 
link  to  close  the  steam  and  feedwater  cycle.  it  also  insures  a 
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reserve  water  capacity,  usually  in  the  deaerating  feed  tank,  to 
cover  water  flow  transients. 


A. < 1 } ( b )  Combustion  Control 

When  steam  flow  from  the  boiler  increases,  there  will  be  a 
slight  drop  in  superheater  outlet  pressure  because  of  the  in¬ 
creased  steam  flow.  A  temporary  rise  in  the  drum  level  will 
occur  because  the  slight  drop  in  pressure  of  the  saturated  liq¬ 
uid  causes  bubbles  of  increased  evaporation.  The  heat  stored  in 
the  boiler  water  and  metal  parts,  and  the  water  stored  in  the 
boiler  drum,  supply  the  first  portion  of  the  transient  increase 
in  steam  flow  without  any  initial  corrective  action  by  the  con¬ 
trol  system. 

Signals  representing  the  increased  steam  flow  and  the  de¬ 
creased  superheater  outlet  pressure  are  summed  to  give  a 
fuel/air  master  demand  signal.  This  master  demand  signal  goes 
to  the  fuel/air  control  system  to  increase  the  firing  rate 

The  fuel/air  system  monitors  actual  air  flow  to  the  burners 
by  measuring  pressure  drops  across  the  burner  throat.  It  moni¬ 
tors  fuel  flow  by  sensing  the  position  of  the  fuel  oil  control 
valve.  On  receiving  a  signal  to  increase  firing,  the  control¬ 
lers  first  send  a  signal  to  the  forced  draft  fan  damper  actua¬ 
tors  to  increase  air  flow.  After  the  air  flow  has  been  in¬ 
creased  and  sensed  at  the  burners,  the  fuel  valve  is  moved  to 
the  new  flow  setting  required  by  the  increased  steam  flow. 

The  fuel/air  system  is  then  balanced  by  the  controls  at  the 
firing  rate  required  to  restore  the  set  value  of  superheater 
outlet  pressure  and  the  set  value  of  the  fuel/air  ratio. 


A. (1) (c)  Drum  Level  Control 

The  drum  level  controller  ignores  the  small  rise  in  drum 
level  because  it  has  received  an  increased  steam  flow  signal  as 
well.  A  little  later,  however,  the  drum  level  will  start  to 
drop,  and  the  decrease  in  drum  level  signal  combined  with  the 
increase  in  steam  flow  signal  will  cause  the  drum  level  con¬ 
troller  to  reposition  the  feed  water  control  valve  to  give  more 
water  flow  to  the  boiler  drum. 

Fuel,  air,  and  water  are  now  reset  to  the  newly  required 
values  to  accommodate  the  increase  of  steam  flow. ■ 


A. (1 ) (d )  Fuel  Oil  Pressure  Control 

To  permit  using  fuel  oil  valve  position  as  a  flow  indica¬ 
tion,  the  fuel  oil  control  valve  differential  pressure  is  moni¬ 
tored  and  held  constant  by  adjustment  of  a  fuel  header  bypass 


valve.  Fuel  oil  viscosity  is  held  essentially  constant  by  con¬ 
trolling  fuel  oil  temperature  through  regulation  of  the  steam 
supply  to  the  fuel  oil  heaters. 


A. (l)(e)  Superheated  Steam  Temperature 

The  superheater  outlet  temperature  controller  holds  the  set 
temperature  by  adjusting  the  amount  of  desuperheated  steam  bled 
into  the  system  from  the  control  desuperheater  in  the  water 
drum. 


A. (1) (f )  Feedwater  Pressure  Control 

When  a  variable  speed  feed  pump  is  used,  two  control  meth¬ 
ods  are  in  general  use  today.  In  one  method,  a  controller  regu¬ 
lates  pump  discharge  pressure  by  adjusting  pump  speed.  The  feed 
water  flow  is  measured  by  the  differential  pressure  across  an 
orifice  in  the  feed  line  to  the  boiler.  In  the  second  method, 
the  speed  of  the  pump  is  controlled  to  maintain  a  constant 
pressure  drop  across  the  feed  water  control  valve.  The  feed 
water  control  valve  position  may  then  be  used  as  a  feed  flow 
measure. 

In  cases  where  a  constant  speed  feed  pump  is  used,  the 
usual  arrangement  is  to  measure  feed  flow  with  an  orifice,  and 
to  control  flow  with  a  feed  control  valve. 


A. (1) (g)  Burner  Management 

The  burner  management  logic  controls  the  automatic  boiler 
purge  and  light-off  sequence.  Also,  the  logic  usually  controls 
the  fuel  oil  recirculation  function  and  the  boiler  shutdown 
logic.  All  control  systems  automatically  shut  down  the  boiler 
when  the  following  occurs: 

a)  Loss  of  flame. 

b)  Drum  level  low  low. 

Some  systems  also  provide  for  other  trip  logic  which  will  shut 
down  the  boiler.  Some  of  these  are: 

a)  Air  flow  low. 

b)  Fuel  oil  pressure  low. 

c)  All  burner  valves  closed. 

d)  Unsuccessful  burner  shutdown. 
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A.  (2)  Turbine  Controls 


Automated  turbine  control  systems  control  the  flow  of  steam 
for  ahead  or  astern  propulsion.  The  most  commonly  used  system 
incorporates  two  propulsion  control  loops.  The  primary  loop 
positions  the  steam  valves  as  a  function  of  the  throttle  lever 
setting,  which  in  turn  is  approximately  proportional  to  pro¬ 
peller  RPM.  The  secondary  or  speed  feedback  loop,  which  is  used 
during  maneuvering,  positions  the  steam  valves  to  maintain  shaft 
revolution  at  a  constant  value  as  established  by  the  throttle 
lever  setting.  In  addition  to  propulsion  control,  the  turbine 
control  usually  contains  the  following  auxiliary  control  fea¬ 
tures: 

a)  Automatic  rollover  of  shaft  when  throttle  is  in 
the  stop  position, 

b)  Automatic  RPM  reduction  when  an  abnormal 
condition  occurs,  and 

c)  Turbine  trip  when  extreme  conditions  occur. 


A. (3)  Auxiliary  Control 

The  auxiliary  controls  start  standby  pumps,  regulate  the 
voltage  and  frequency  of  electrical  power,  control  pressure  and 
temperature  of  lubricating  oil,  and  serve  other  functions  usu¬ 
ally  associated  with  direct  acting,  on/off  or  direct  propor¬ 
tional  controls. 


B.  DIESEL  VESSEL  CONTROL  SYSTEMS 

Diesel  propulsion  system  controls  perform,  as  a  minimum, 
two  overall  functions,  namely  1)  automatic  or  semi-automatic 
engine  start-up  and  shutdown,  and  2)  automatic  engine  speed 
control  based  on  thrust  requirements.  Other  overall  functions 
depend  on  the  specific  system  and  may  include  clutch  control  and 
propeller  pitch  control. 

Engine  start-up  is  primarily  a  semi-automatic  function  in 
that  it  is  manually  initiated  (for  instance,  by  depressing  a 
push-button  switch).  Subsequent  start-up  control  actions  are 
fully  automated.  These  involve  first  checking  automatically  to 
ascertain  that  engine  start-up  is  permissible.  To  accomplish 
this,  sensor  signals  are  "checked"  by  the  controls  to  determine 
if  all  start-up  permissives  are  met.  These  perroissives  include 
adequate  fuel  oil  and  lube  oil  pressure  and  jacket  water  tem¬ 
perature,  barring  gear  disengaged,  etc.. 

If  all  start-up  permissives  are  met,  the  automatic  sequence 
proceeds  by  signalling  the  engine  to  initiate  the  start-up  pro- 


cedure.  The  exact  procedure  will  vary  somewhat  depending  on  the 
specific  engine  but  generally  involves  purging  the  crankcase, 
rolling  the  engine  on  starting-air,  admitting  the  fuel  oil  sup¬ 
ply,  etc..  In  most  present  systems,  these  latter  procedures  are 
under  the  control  of  hardware  provided  on  the  engine  itself 
(that  is,  remote  from  the  engine  control  console),  and  are  sup¬ 
plied  by  the  engine  manufacturer. 

Engine  shutdown  is  both  automatic  and  semi-automatic. 
Automatic  shutdowns  are  initiated  when  a  condition  exists  that 
could  cause  engine  damage  (for  instance,  low  lube  oil  pressure). 
Sensor  signals  are  continuously  “checked"  automatically  to 
determine  if  such  a  condition  exists.  Semi-automatic  shutdowns 
are  manually  initiated  by  depressing  a  shutdown  switch  on 'the 
console.  Subsequent  procedures  are  the  same  for  either  type  of 
shutdown,  and  are  controlled  automatically.  These  generally 
involve  sending  a  shutdown  signal  to  control  equipment  provided 
on  the  engine  which,  in  turn,  shuts  down  the  fuel  oil  supply. 

Automatic  engine  speed  control  is  usually  implemented 
through  use  of  a  classical,  feedback  control  loop.  This  loop 
consists  of  the  throttle  lever,  some  type  of  device  to  simulate 
the  engine's  speed  vs.  power  curve,  a  device  to  provide  actual 
engine  speed,  and  an  error  signal  generator.  Signals  from  the 
throttle  lever  are  used  in  the  loop  to  determine  the  desired 
engine  operating  point  on  the  speed-power  curve.  This  desired 
engine  operating  point  is  compared  with  the  actual  operating 
speed  by  the  error  signal  generator.  If  the  desired  and  actual 
points  are  identical,  no  error  signal  is  generated.  If  they  are 
not  identical,  an  error  signal  is  generated  which  indicates 
whether  actual  speed  is  too  slow  or  too  fast.  This  error  signal 
is  transmitted  to  the  engine  where  it  is  used  to  increase  or 
decrease  engine  speed. 

Other  functions  performed  by  the  automatic  controls  can 
include  clutch  control  and  propeller  pitch  control.  Clutch 
control  consists  of  activating  or  de-activating  some  type  of 
clutch  actuator.  Generation  of  the  activate  signal  is  based  on 
checking  for  the  presence  of  all  clutch  engage  permissives. 

These  include  proper  engine  speed  and  proper  synchronization  of 
engine  speeds  when  the  vessel  has  more  than  one  engine.  The 
activate  process  is  usually  initiated  semi-automatically  via 
depression  of  a  pushbutton  switch.  The  ds-activate  process  can 
be  initiated  via  a  pushbutton  switch,  by  some  condition  that 
would  cause  machinery  damage  if  the  clutch  remained  engaged,  or 
by  engine  shutdown. 

Automatic  propeller  pitch  control  again  usually  utilizes  a 
classical,  feedback  control  loop.  This  loop  consists  of  the 
throttle  lever,  some  type  of  device  for  correlating  engine  speed 
and  load  with  the  propeller  pitch  angle,  a  device  to  provide 
actual  propeller  pitch,  and  an  error  signal  generator. 
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Signals  from  the  throttle  lever  are  used  in  the  loop  both 
to  indicate  pitch  direction  (i.e.,  ahead  or  astern  5,  and  to 
indicate  the  desired  vessel  speed.  This  desired  speed  and  di¬ 
rection  signal  is  correlated  with  engine  speed  and  load  to  de¬ 
termine  the  actual  propeller  pitch  required.  The  error  signal 
generator  then  compares  this  required  pitch  with  actual  pitch. 

If  the  required  and  actual  points  are  identical,  no  error  signal 
is  generated.  If  they  are  not  identical,  the  error  signal  in¬ 
dicates  the  direction  and  magnitude  of  the  error.  This  error 
signal  is  sent  to  the  propeller  unit  to  control  pitch  actuation. 
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IV.  LITERATURE  REVIEW 


Task  I  of  the  DOVAP  study  consisted  of  a  search  and  review 
of  the  open  literature.  The  effort  focussed  on  marine  automa¬ 
tion  systems  and  their  reliability  and  maintainability  charac¬ 
teristics,  Over  250  documents  were  reviewed,  from  which  115 
were  deemed  applicable  to  the  study.  Summaries  of  the  pertinent 
contents  of  these  applicable  documents  were  prepared.  In  addi¬ 
tion,  a  document  log  was  prepared,  and  a  cross-reference  matrix 
for  accessing  the  documents  was  developed. 

In  the  following  subsections,  the  approach  tc,  and  the 
findings  of,  this  literature  search  are  described.  The  indivi¬ 
dual  document  sunsnaries,  the  document  log,  and  the 
cross-reference  matrix  are  provided  in  Appendix  A. 


A.  LITERATURE  SEARCH  APPROACH 

The  literature  search  conducted  as  Task  I  of  the  DOVAP 
study  was  structured  to  consist  of  four  subtasks,  viz,  1)  an 
abstract  and  title  search,  2)  document  acquisition  and  review, 

3)  summarizing  and  cross-referencing  pertinent  document  contents 
for  further  reference,  and  4)  evaluation  of  the  pertinent  docu¬ 
ments  to  obtain  overall  findings  and  conclusions.  Each  of  these 
four  subtasks  is  discussed  below. 


A. (1)  Abstract  and  Title  Search 

The  major  objective  of  this  subtask  was  to  ensure  consid¬ 
eration  of  any  document  that  might  be  pertinent  to  the  reliabi¬ 
lity  of  large  commercial  vessel  automation  systems.  Toward  this 
end,  abstracts  were  reviewed  to  the  extent  possible  since  it  was 
felt  that  an  abstract  review,  as  opposed  to  a  title  search, 
would  provide  better  insights  into  the  actual  contents  of  the 
document.  in  cases  where  abstracts  were  not  available,  title 
searches  were  conducted.  Abstracts  were  generally  available, 
however,  so  that  search  by  title  alone  was  seldom  necessary. 

The  major  abstract  compilation  searched  was  that  of  the 
Maritime  Research  Information  Service  (MRIS).  These  abstracts 
were  reviewed  for  the  period  from  January,  1973  to  June,  1981. 

In  addition,  the  MRIS  Current  Awareness  Series  for  1981  was 
reviewed.  The  MRIS  abstracts  cover  symposium  papers,  contract 
reports,  and  such  publications  as  the  Naval  Engineer's  Journal 
and  the  Journals  of  the  Society  of  Naval  Architects  and  Marine 
Engineers.  Hence,  the  MRIS  abstracts  provide  quite  comprehen¬ 
sive  coverage. 


National  Technical  Inf oroaaticn  service  (NTIS)  abstracts 
were  also  searched.  There  is  considerable  overlap  between  KRIS 
and  NTIS,  but  NTIS  provides  more  complete  coverage  of  U.S.  Navy 
contract  reports. 

A  cursdry  review  of  "Ship  Abstracts,"  a  joint 
Norwegian-Swedish-Dutch-Finnish  information  service,  was  con¬ 
ducted.  A  majority  of  the  documents  abstracted,  however,  were 
not  in  English,  and  those  in  English  were  found  to  be  also  cov¬ 
ered  in  MRIS. 

In  addition  to  the  abstract  searches  noted  above,  library 
searches  were  conducted  to  ensure  thorough  coverage  of  the  li¬ 
terature.  This  part  of  the  effort  focussed  on  recent  documents 
that  might  be  too  recent  to  be  covered  by  MRIS  and  NTIS.  Also, 
cumulative  indexes  of  maritime  publications  were  checked  by 
title  to  ascertain  that  pertinent  documents  were  not  overlooked. 


A. (2)  Document  Acquisition  and  Review 

From  the  abstract  and  title  search,  over  250  documents  were 
identified  as  possibly  pertinent,  and  were  ordered.  Of  these, 
only  six  could  not  be  obtained.  As  could  be  expected,  many  of 
the  documents  were  found  not  to  be  pertinent  once  they  were 
reviewed.  Also,  as  more  documents  were  reviewed,  considerable 
repetition  between  documents  was  noted.  Nevertheless,  115  do¬ 
cuments  ranging  from  good  to  excellent  in  terms  of  their  appli¬ 
cability  to  the  DOVAP  study  were  reviewed. 

Since  both  reliability  and  automation  systems  encompass  a 
wide  range  of  factors,  applicable  documents  also  cover  a  broad 
spectrum  of  topics.  For  instance,  maintainability  is  of  inter¬ 
est  because  proper  preventative  maintenance  can  enhance  relia¬ 
bility,  and  improper  maintenance  can  result  in  equipment  mal¬ 
function.  The  state  of  the  art  is  of  interest  because  it  indi¬ 
cates  the  "maturity"  of ’the  equipment  and  hence  whether  early 
design  and  development  problems  can  be  expected.  Environmental 
factors  are  of  interest  because  failures  can  occur  due  to  over¬ 
stress  if  the  equipment  is  subjected  to  environmental  parameter 
levels  that  exceed  design  levels . 

The  documents  identified  as  applicable  to  the  DOVAP  study 
can  be  divided  into  nine  broad  categories  of  topics.  These  are 
as  follows: 

a)  R&M  Quantitative  Data:  Failure  rates,  failure 
frequencies,  repair  rates,  equipment  availabi¬ 
lity,  etc. 

b)  R&M  Qualitative  Data:  Failure  mode  descriptions, 
operating  exper ience/problems ,  preventative  main¬ 
tenance  procedures,  quality  assurance  provisions, 


c;  Maritime  R4M  Status  Information:  Extent  and 
nature  of  R&M  practiced  in  the  maritime 
comas  unity , 

d)  Automation  configuration  Inf ormation:  Types  of 
hardware  items-  and  systems,  and  what  functions 
they  must  perform. 

e)  Automation  State  of  the  Art:  Degree  of  maturity, 
or  point  on  the  "learning  curve"  the  equipment 
has  achieved. 

f)  Spare  Parts  Assessments:  Availability  of  spare 
parts  for  repair,  on-board  spare  parts  provi¬ 
sioning  practices,  spare  parts  problems,  etc. 

g)  Regulatioi  s/Requirements :  Mandatory  and  non¬ 
mandatory  requirements  for  automation  system  de¬ 
sign,  analysis,  construction  test,  etc. 

h)  Environmental  Information:  Natural  and  man-made 
environmental  factors  which  can  impact  equipment 
operation. 

i)  Other:  Emerging  trends  such  as  condition  moni¬ 
toring;  training/skills;  system  documentation/ 
maintenance  manuals;  predictions/prc jections  of 
maritime  trends/potential  problems;  etc. 

The  contents  of  some  of  the  applicable  documents  fell  into  more 
than  one  of  the  above  broad  categories.  Other  documents  con¬ 
centrated  on  topics  in  a  single  category.  The  portions  of  the 
document  pertinent  to  the  DOVAP  study  ranged  from  s  few  para¬ 
graphs  or  a  few  sentences  to  the  entire  document. 


A.  { 3 )  Summarization  and  Cross-Referencing 

Due  to  the  large  number  of  documents  received  and  reviewed, 
a  method  of  coding  them  for  easy  access  was  required.  To  ac¬ 
complish  this,  a  four-step  procedure  was  employed.  This  con¬ 
sisted  of  (1)  a  document  logging  scheme,  r2)  preparation  of 
summary  sheets,  <3)  assignment  of  category  codes  for 
cross-reference  and  (4)  preparation  of  narrative  summaries  of 
the  pertinent  information. 

The  document  log  consists  of  a  straightforward  index  card 
file  and  log  sheet  system.  All  applicable  documents  are  refer¬ 
enced  and  accessible  by  their  respective  log  numbers.  The  log 
sheets  are  provided  in  Appendix  A. 

Forms  were  developed  for  summarizing  the  applicable  docu¬ 
ment  information.  The  intent  of  these  forms  was  to  provide 


accessiblity  to  pertinent  information  within  the  document. 

Since  many  of  the  documents  were  on  microfiche,  locating  perti¬ 
nent  information  within  the  document  could  have  proved  trouble¬ 
some  without  this  scheme.  These  summary  forms  were  completed  as 
the  documents  were  reviewed. 

The  summary  sheets  noted  above  were  not  intended  to  provide 
accessiblity  across  all  documents.  To  accomplish  this,  a  sub¬ 
ject  categorization/accessing  code  system  was  implemented.  This 
consists  of  an  indentured  breakdown  of  subject  categories  to¬ 
gether  with  a  code  number  for  each  category.  Documents  were 
assigned  as  many  code  numbers  as  were  applicable,  and  the  code 
numbers  were  entered  onto  the  document's  card  in  the  log  file. 

A  cross-reference  matrix  was  also  prepared  that  indicates  the 
documents,  by  log  numbers,  containing  information  in  the  various 
subject  categories.  This  cross-reference  matrix  is  provided  in 
Appendix  A. 

Narrative  summaries  of  each  applicable  document  were  also 
prepared.  These  summaries  are  again  provided  in  Appendix  A. 

In  preparing  these  narrative  summaries,  no  attempt  was  made 
to  " judgmentally "  evaluate  the  documents.  Instead,  every  at¬ 
tempt  was  made  to  objectively  summarize  the  portions  of  the 
document  that  could  be  applicable  to  the  DOVAP  study,  or  possi¬ 
bly  to  any  other  study  involving  maritime  reliability  and  main¬ 
tainability  and/or  marine  automation  systems. 


B.  LITERATURE  SEARCH  FINDINGS  AND  CONCLUSIONS 

This  section  describes  overall  and  specific  findings  and 
conclusions  of  the  Task  I  Literature  Sea  -i.  In  addition,  some 
observations  resulting  from  the  literatu.  search  are  noted. 
These  observations  are  as  follows: 

a)  It  appears  that  very  little  form..  ,  systematic 
reliability  engineering  is  applied  uring  com¬ 
mercial  vessel  design  activities.  The  reliabi¬ 
lity  engineering  that  is  applied  seems  to  consist 
primarily  of  qualitative  judgments  as  to  how  well 
the  equipment  can  be  expected  to  perform. 

b)  Increasing  maritime  accident  rates  provide  a  strong 
argument  for  the  need  for  more  detailed  and  in- 
depth  R&M  considerations. 

c)  The  terms  "reliability"  and  "maintainability"  are 
often  used  loosely  in  the  literature,  and  appear 
to  mean  different  things  to  different  people. 

Many  use  the  terms  to  convey  some  intuitive  measure 
of  equipment  "worth."  The  terms,  and  reliability 
especially,  were  often  not  used  in  the  sense  of 
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their  established,  theoretical  framework. 

d)  A  general  awareness  of  current  reliability  problems 
(e.g.,  areas  known  to  be  troublesome)  was  evidenced 
in  the  literature,  and  good  qualitative  evaluations 
of  them  were  provided. 

A  number  of  overall  and  specific  findings  and  conclusions  of  the 
literature  search  were  developed.  These  are  presented  below 
under  the  nine  category  headings  cited  for  the  applicable  docu¬ 
ments  in  section  A  above. 


B.{1)  R&M  Quantitative  Data 

About  forty  documents  provide  marine  R&M  quantitative  data 
of  various  types.  The  more  extensive  of  these  data  sources  were 
developed  for  the  Navy.  Log  #508  is  a  particularly  comprehen¬ 
sive  tabulation  of  R&M  data  (MTBF's,  MTTR's,  etc.)  developed  for 
Navy  mechanical  equipment.  The  non-Navy  documents  provide  a 
"scattering"  of  MTBF's,  availabilities,  and  failure  frequencies. 
While  these  are  not  comprehensive  enough  to  use  alone,  they  were 
used  during  subsequent  phases  of  the  study  in  developing  "K" 
factors  for  adjusting  failure  rates  from  other  sources.  Such 
adjustment  is  necessary,  for  instance,  to  convert  Navy  failure 
rates  which  reflect  MIL-SPEC  quality  levels  to  values  reflecting 
commercial  quality  levels. 

Considerably  more  quantitative  reliability  data  was  found 
than  maintainability  data,  with  Navy  documents  providing  almost 
all  of  the  maintainability  data.  Since  Navy  maintenance  poli¬ 
cies  and  approaches  differ  considerably  from  commercial  prac¬ 
tices,  it  appears  that  even  with  adjustment.  Navy  maintability 
data  would  have  to  be  used  judiciously  for  commercial  applica¬ 
tions  . 

The  summaries  of  some  of  the  more  pertinent  papers  dealing 
with  quantitative  data  are  presented  below.  As  indicated  above, 
most  of  this  data  was  used  later  in  the  study  in  developing 
K-factors  for  adjusting  failure  rates  for  non-commercial  equip¬ 
ment  to  those  applicable  to  commercial  equipment  or  to  determine 
the  correlation  between  the  historical  data  and  the  predicted 
values . 

B.  (1)  (a)  Log  #106 

This  document  investigated  two  aspects  of  equipment  beha¬ 
vior,  i.e.,  reliability  and  degradation.  This  data  was  col¬ 
lected  on  Navy  shipboard  machinery.  Routine  maintenance  data  on 
the  shipboard  machinery  were  analyzed  to  identify  failure  and 
degradation  trends.  The  maintenance  actions  considered  were 
those  occurring  since  the  last  ship  overhaul.  The  paper  con¬ 
cluded  that  the  reliability  of  some  ship's  equipments  tended  to 
decrease  with  age,  and  that  the  number  of  maintenance  actions 
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increased.  As  an  example,  the  paper  shows  that  for  main  boil¬ 
ers,  the  mean  operating  hours  to  first  failure  is  1,050.  The 
mean  operating  hours  to  the  second  failure  of  boilers  was  875 
hours.  Because  some  equipments  exhibited  an  increasing  mainte¬ 
nance  rate  over  their  operational  lives,  the  commercial  operator 
must  anticipate  this  increased  maintenance  demand. 

B. (1) (b)  Log  #026 

This  document  reports  on  a  study  comparing  the  reliability 
of  single  boiler  and  multiple  boiler  vessels.  Reliability  is 
based  on  casualties,  where  casualty  is  defined  as:  (a)  actual 
physical  damage  of  property  in  excess  of  $1,500;  (b)  material 
damage  affecting  the  seaworthiness  or  efficiency  of  the  vessel; 
(c)  stranding  or  grounding;  (d)  loss  of  life;  (e)  injury  causing 
any  person  to  remain  incapacitated  for  a  period  in  excess  of  72 
hours.  This  data  was  obtained  from  commercial  vessel  information 
related  to  the  above  mentioned  casualties  supplied  to  the  Coast 
Guard.  In  this  data,  the  total  of  casualties  for  multi-boiler 
vessels  was  3,912.  The  number  of  multi-boiler  ship-years  was 
3,854,  which  yields  a  ratio  of  the  number  of  casualties  to  the 
number  of  shipyears  of  1.015.  This  is  undoubtedly  a  conserva¬ 
tive  number  because  it  is  suspected  that  many  minor  casualties 
are  not  reported.  These  figures  appear  to  include  primarily 
major  boiler  damage  due  to  explosions  and  major  structural 
failures. 

B. (1) (c)  Log  #008 

This  paper  describes  experiences  with  unattended  engine 
room  operation  in  6  turbine  tankers.  More  than  20  ship-years  of 
accumulated  history  are  represented  in  the  data.  The  paper 
reports  that  casualties  have  occurred  on  some  of  the  ships,  with 
some  of  these  resulting  in  serious  damage,  such  as  a  major  gear 
fracture  and  two  groundings.  However,  the  paper  reports  that 
none  of  these  casualties  were  caused  directly  or  indirectly  by 
the  automation  systems.  It  also  reports  that  the  automation 
systems  have  not  been  responsible  for  delays  in  port  or  reduced 
performance. 

The  paper  lists  all  alarms  for  the  six  ships  and  classifies 
them  as:  (a)  true  alarms;  (b)  alarms  resulting  from  maneuvers 
or  exceptional  operation;  (c)  false  alarms.  Figure  IV-1  shows 
the  average  number  of  true  alarms  per  month  for  the  six  ships 
over  a  six-year  period.  It  is  interesting  to  note  that  it  takes 
approximately  three  years  before  the  number  of  alarms  stabi¬ 
lizes,  and  that  after  the  fifth  year  the  number  slightly  in¬ 
creases.  Alarms  resulting  from  maneuvering  also  show  a  sharp 
decrease  after  the  first  year  and  stabilize  after  the  second 
year.  Again,  false  alarms  decrease  after  the  third  year  and 
then  stabilize.  The  nature  of  the  alarms  is  given  in  the  paper, 
and  Table  IV-1  shows  the  approximate  distribution  of  alarms  by 
causes.  Breaking  out  the  alarms  by  the  subsystems  covered  in 
the  DOVAP  study  yields  an  alarm  rate  of  3.5  per  month,  which 
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Table  IV-1 

Average  No.  of  Alarms  per  Month, 6  Ships  (From  Log  >008) 


Alarm 

Parameter 

No/Month: 

6  Ships 

Alarms  Which 

Would  be  Included 
In  Current  Study 

F.O.  Filter 

AP 

87.2 

Evaporator 

Salinity 

High 

Level  Lo 

13.1 

Drain  Tank 

8.8 

Air  Compressor 

- 

6.2 

Sterntube  L.O.  Hdr.  Tank 

Level  Lo 

5.7 

Dirty  Oil  Tank 

Level  Hi 

5.35 

Desuperheated  Steam 

Temp  Hi 

4.2 

Superheated  Steam 

Temp  Hi 

4.1 

* 

Mn.  Propul.  Unit 

Trip 

3.8 

* 

Mn.  Boiler  F.O.  Valve 

Trip 

2.85 

+ 

Starting  Air  Comp. 

2.5 

Water  in  F.O.  Bunker 

aw 

2.2 

F.D.  Fans 

Stop 

1.7 

Main  Boiler 

Lo-Lo  Level 

1.65 

* 

Flame  Failure 

_ 

1.5 

* 

Gland  Steam 

Pres.  Lo 

1.5 

Feedwater 

Pres.  Lo 

V.5 

* 

Exb.  Steam  Line 

Pres.  Hi 

1.3 

Drain  Tank 

Level  Hi 

1.3 

F.O.  to  Burners 

Pres*  Lo 

1.0 

* 

Main  Circ.  Pump 

Fail  to 

Start 

1.0 

F.D.  Fan 

Oil  Pres. 

Lo 

1.0 

Exh.  Steam  Line 

Pres.  Lo 

0.9 

De-oiler 

A  P  Lo 

0.8 

Main  Boiler 

Level  Hi-Hi 

0.75 

* 

Superheated  Steam 

Temp.  Lo 

0.7 

♦ 

Auxiliary  Boiler 

Lo-Lo  Level 

0.7 

* 

Deaerator 

Level  Lo 

0.7 

* 

Oil  in  Observation  Tank 

0.7 

Main  Boiler 

Level  Lo 

0.65 

* 

T.A.  Tripping  Out 

Auxiliary  Boiler 

^  i 

Level  Hi-Hi 

0.5 

0.5 

* 

Lack  Combust.  Air 

_ 

0.5 

* 

Blackout 

0.5 

* 

Main  Boiler 

Level  Hi 

0.3 

* 

Oil  T.A. 

Pres.  Lo 

_ 9 

Total  Included  in  Current  Study  =  21*3 
Average  Per  Ship  Per  Month  =  3.5  ' 
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the  DOVAP  study  yields  an  alarm  rate  of  3.5  per  month,  which 
correlates  with  those  predicted  for  Ships  A  and  B  (the  steam 
turbine  vessels)  in  the  DOVAP  study. 

B.(l)(d)  Log  #097 

This  document  reports  on  a  study  of  a  group  of  very  large 
crude  carriers  (VLCC)  operated  by  the  Shell  Oil  Company.  These 
ships  are  foreign-built,  and  are  designed  for  unmanned  machinery 
operation.  Between  January,  1973  and  June,  1977,  Shell  Inter¬ 
national  Marine  commissioned  25  of  these  VLCC's,  a  new  class 
designated  as  the  "L"  class.  The  ships  are  turbine  driven,  and 
were  built  by  six  different  shipyards.  Consequently  the  in¬ 
strumentation  and  controls  are  somewhat  different,  although 
basic  specifications  are  the  same. 

In  January  of  1978,  Shell  initiated  a  study  to  evaluate  the 
operational  experiences  with  the  instrumentation  and  control 
systems  and  to  determine  the  factors  that  affected  their  relia¬ 
bility.  Prom  the  data  presented  in  this  paper,  DOVAP  concluded 
that  the  “L*  class  vessels'  instrumentation  and  controls  are 
considerably  more  complex  than  those  of  the  three  systems  consi¬ 
dered  during  the  DOVAP  study.  In  the  case  of  the  *L“  class 
vessels,  there  are  175  alarm- type  surveillance  systems  and  85 
automatic  shutdown  systems,  with  28  of  the  latter  being 
associated  with  the  propulsion  plant. 

The  data  base  for  the  study  reported  in  this  paper  was 
generated  from  the  Shell  International  Marine  Defect  Casualty 
Reporting  System.  After  reviewing  the  data,  it  seems  obvious  to 
DOVAP  that  not  all  incidents  are  reported.  The  paper  does  state 
that  only  incidents  resulting  in  delays  or  in  the  need  for  re¬ 
placement  parts  are  documented.  The  data  covers  62  ship-years, 
or  roughly  one-half  million  ship  hours.  The  total  number  of 
failure  or  malfunction  incidents  reported  was  414,  which  amounts 
to  6.6  per  ship-year.  Again,  it  seems  obvious  from  the  number 
of  malfunctions  that  the  total  number  of  occurrences  are  not 
being  reported.  However,  this  reported  data  is  useful  for  com¬ 
parative  purposes.  Also,  it  is  the  only  data  found  where  the 
relative  number  of  failures  for  flame  scanners,  carbon  dioxide 
systems,  oxygen  analyzers,  and  smoke  density  systems  can  be 
determined. 

The  following  was  extracted  from  the  data  reported  in  this 
paper  and  is  indicative  of  the  magnitudes  of  various  problems 
related  to  automated  control  systems  on  the  "L"  class  vessels. 

BOILER  TRIPS:  Of  the  total  414  reported  faults,  28  were 
boiler  trips.  Table  IV-2  gives  the  causes  of  the  28  trips  and 
their  percentages  of  the  total. 

BURNER  RELIGHT  INHIBITS:  There  were  25  incidents  which 
prevented  relighting  of  the  burners.  The  causes  and  percentages 
of  these  are  given  in  Table  IV-3. 
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TABLE  IV- 2 


Reported  Faults  Resulting  in  Main  Boiler  Auto-Shutdown 

(Log  #097) 


Number  of  percent 
Incidents  of  Total 


Force  draft  fan  trip  due  to  transmitter  8 

controller  and  broken  control  air  lines 

Fuel  valve  relay  fault  6 

Erroneous  flame- failure  trip  4 

Erroneous  drum  level  hi-hi  and  lo-lo  trip  4 

Fuel  valve  switch  fault  2 

Erroneous  superheater  high  temperature  trip  1 

Combustion  air  flow  transducer  fault  1 

Waterlogged  atomizing  steam  line  due  to  1 

undersized  drain  trap 

Drum  level  controller  fault  1 

Total  28 


28.6 

21.4 

14.3 

14.3 

7.1 

3.6 

3.6 

3.6 

3.6 


TABLE  IV- 3 

Reported  Faults  Inhibiting  the  Relighting  of  the  Burners 

(Log  #097) 


Nuinber  of 

Percent 

Incidents 

of  Total 

Timer  faults 

13 

52 

Ignitor  and  ignitor  transformer  faults 

5 

20 

Faults  on  printed-circuit  boards 

4 

16 

Air  register  solenoid  valve  faults 

2 

8 

Flame  scanner  faults 

1 

4 
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POTENTIAL  LOSS  OF  PROPULSION:  In  addition  to  outright 
boiler  trips,  there  were  62  incidents  that  could  have  resulted 
in  loss  of  propulsion;  these  are  depicted  in  Table  iv-4. 

TOTAL  NUMBER  OF  INCIDENTS  BY  SYSTEM:  Table  IV-5  gives  the 
total  number  of  incidents  by  system  and  the  percent  contribution 
of  each  system.  This  breakdown  indicates  that  burner  management 
is  the  largest  contributor  to  total  system  unreliability.  The 
description  of  burner  management  on  the  L-class  vessels  indi¬ 
cates  that  it  is  a  binary  control  system  with  numerous  inter¬ 
faces,  e.g.  level  switches,  pressure  switches,  flame  detectors, 
and  solenoid  valves.  The  description  of  the  system  also  indi¬ 
cates  that  the  same  operational  philosophy  is  applied  as  on  the 
two  turbine  ships  investigated  in  the  DOVAP  study.  However,  the 
L— class  systems  appear  t.o  be  somewhat  more  complex  because  of 
the  number  of  alarms  and  trip  possibilities. 

COMPONENT  FAILURES:  Table  IV— 6  depicts  the  types  of 
component  failures  that  cause  system  failures.  This  data  shows 
that  the  primary  causes  of  system  failure  are  circuit  cards, 
followed  closely  by  transducers. 

B. (1) <e)  Log  #083 

Log  #083  reports  on  a  reliability  study  of  marine  turbine 
plants  based  on  data  gathered  over  the  one  year  period  from 
April  1,  1977  through  March  31,  1978.  The  study  covers 
thirty-one  vessels,  of  which  29  were  tankers.  The  age  of  seven 
vessels  was  2  years  and  under;  the  age  of  fifteen  vessels  was 
2*1  to  4  years;  the  remaining  vessels  were  over  5  years  old. 

The  paper  breaks  down  the  total  failures  experienced  by  compo¬ 
nent  and  system,  and  by  major  failure  modes,  and  also  by  type  of 
steam  plant,  age  of  ship,  MO  certified,  ship  state  when  failure 
occurred,  effect  of  failure  on  ship  operation,  and  method  of 
failure  detection. 

Some  of  these  statistics  of  interest  have  been  excerpted 
and  are  presented  in  Table  IV-7.  There  was  a  total  of  31  stop¬ 
pages  at  sea,  or  an  average  of  1  per  ship  for  the  year.  It  is 
reported  that  the  hours  for  stoppages  at  sea  was  248.6,  or  an 
average  of  8.2  hours  per  stoppage.  There  were  41  occasions 
during  the  year  when  the  vessel  proceeded  at  reduced  RPM,  with  a 
total  time  for  reduced  RPM  of  854.4  hours,  or  an  average  of  20.8 
hours  per  occasion.  The  failure  breakdown  by  components  shows 
that  the  major  contributor  to  stoppage  at  sea  was  the  main  en¬ 
gine,  and  that  the  principal  contributor  to  reduced  RPM  was  the 
boiler  system.  Although  the  data  did  not  clarify  criteria  for 
dead  in  the  water  (DIW)  and  reduced  RPM,  DOVAP  suspects  that 
temporary  short-term  stoppage  or  reduced  RPM’s  were  not  included 
in  the  data  because  of  the  low  number  of  reduced  RPM 
occurrences . 


TABLE  IV- 4 


Reported  Faults  that  Could  Have  Resulted 
in  the  Loss  of  Propulsion 
(Log  #097) 


Number  of 
Incidents 


Flame  scanner  fault  13 

Erroneous  drum  level  indication —  9 

Transmitter  fault 

Erroneous  superheater  high  temperature —  7 

Transmitter  fault 

Erroneous  fuel  oil  signal —  7 

Transmitter  fault 

Burner  management  relay  faults  5 

Drum  level  error  due  to  controller  5 

Air  register  and  fuel  valve  solenoid  fault  4 

Control  circuit  card  faults  2 

Feed  pump  timer  fault  1 

F. D.  fan  mechanical  breakdown  1 

F.  D.  fan  solenoid  valve  fault  1 

Combustion  air  controller  fault  1 

Flame  scanner  motor  fault  1 

Drum  pressure —  Transmitter  fault  1 

Feedwater  valve  fault  1 

Superheater  spray  cooler  valve  motor  fault  1 

Drum  level  timer  fault  1 » 

Drum  level  relay  fault  1 


Percent 
of  Total 

20.9 

14.5 

11.3 

11.3 

8.1 

8.1 

6.4 

3.2 

1.6 

1.6 

1.6 

1.6 

1.6 

1.6 

1.6 

1.6 

1.6 

1.6 


Total 


62 
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TABLE  IV- 6 


Types  of  Faults  (Log  #097) 


Number  of  incidents 


Circuit  cards  95 
Tranducers  83 
Microswitches  and  relays  55 
Solenoids  44 
Complete  Units  32 
Miscellaneous  22 
Timers  21 
Mechanical  21 
Power  12 
Recorders  and  indicators  10 
Controllers  8 
Commissioning  ar.d  design  faults  4 
Earth  faults  3 
Printers  3 
Root  extractors  1 

Total  414 
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TABLE  IV-7 

Operational  Vessel  Failure  Summary  (Log  #083) 
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Log  #066  also  contains  data  on  stops  at  sea  and  slowdowns 
per  year.  Table  IV-8  tabulates  this  data.  In  tha  Log  #066 
data,  the  number  of  stops  at  sea  was  slightly  less  than  those 
reported  in  Log  #083  ,  with  the  average  of  stops  at  sea  being 
0.67.  However,  at  3.34  slowdowns  per  year  per  ship,  the  average 
number  of  slowdowns  per  year  was  significantly  higher. 


B. (1) (f )  Log  #075 

This  paper  documents  a  study  to  determine  the  length  of  the 
initial,  or  infant  mortality,  period  for  marine  machinery.  In 
addition,  the  study  identified  the  causes  of  failures,  and  the 
contribution  to  total  failure  rates  of  various  types  of  equip¬ 
ment.  Data  was  collected  on  six  turbine  and  four  diesel  ves¬ 
sels.  All  ten  vessels  had  automated  systems,  and  all  of  the 
turbine  ships  had  two-boilers.  Table  IV-9  shows  some  of  the 
statistics  of  interest  related  to  the  automated  control  systems. 

As  can  be  seen  from  the  table,  approximately  24  percent  of 
the  total  steam  vessel  failures  during  the  initial  phase  were 
due  to  the  automated  control  system.  Once  the  steady  state,  or 
so-called  random  period,  was  reached,  the  contribution  to  the 
overall  failure  rate  by  the  automated  controls  on  steam  vessels 
dropped  to  approximately  17  percent.  Converting  this  into  fail¬ 
ures  per  month  per  ship,  the  automated  controls  were  experienc¬ 
ing  on  average  1.84  failures  per  ship  per  month  during  the  ini¬ 
tial  period,  and  0.56  during  the  random  period.  The  highest 
contributor  during  the  random  period  is  piping  and  valves,  which 
accounted  for  53.9  percent  or,  on  average,  1.82  failures  per 
month  during  the  steady  state. 

Because  valves  and  valve  controllers  are  often  integral 
parts  of  the  control  system,  some  failures  in  this  area  would 
probably  be  classified  as  part  of  the  control  system  as  defined 
for  the  DOVAP  study. 

The  conclusions  of  the  study  reported  in  Log  #075  are  as 
follows : 

a)  The  time  to  reach  the  steady  state  condition 
varied  from  ship  to  ship,  and  the  range  was  from 
three  to  eight  months;  however,  the  average  time 
period  was  five  months. 

b)  Major  contributors  to  the  failure  rates  were: 

(1)  piping  and  valves;  (2)  automation  equipment 
for  turbine  ships  and  main  engine  and  deck 
machinery  for  diesel  vessels. 

c)  Seventy-five  percent  of  the  initial  failures  were 
due  to  manufacturing,  including  bad  installation, 
and  defective  workmanship. 
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d)  During  the  random  period,  the  major  contributors 
to  the  unreliability  were  design  defects  and 
defects  in  materials. 


B.(l)(g)  Other  Quantitative  Data 

In  the  data  reviewed  during  Task  I  of  the  DOVAP  study,  a 
great  deal  of  concern  was  expressed  about  boiler  explosions,  but 
no  quantitative  data  was  given.  As  explained  in  subsequent 
sections  of  this  report,  during  DOVAP* s  performance  of  FMEA's 
and  fault  tree  analyses,  many  conditions  were  found  which  could 
potentially  result  in  an  explosion.  However,  DOVAP  found  that 
usually  a  series  of  events  must  occur  for  an  explosion  to  occur 
and  that  some  of  these  events  are  outside  of  the  automated  con¬ 
trol  system. 

In  order  to  obtain  an  estimate  of  the  actual  frequency  of 
boiler  explosions,  DOVAP  combined  data  from  two  sources.  The 
frequency  of  marine  boiler  failures  was  obtained  from  the  ARINC 
Report,  Log  #503.  Frequencies  for  commercial  power  boiler 
failures  were  obtained  from  a  report  generated  by  the  National 
Board  Members  and  Other  Authorised  Inspection  Agencies  for  the 
year  1979.  * 

The  ARINC  data  reports  failures  on  five  classes  of  Navy 
steam  turbine  ships,  and  this  data  is  summarized  in  Table  IV-10. 
The  mean  boiler  MTBF  over  all  5  ship  classes  is  2,320  operating 
hours.  From  the  commercial  power  turbine  data,  as  shown  in 
Table  IV-11,  the  percent  of  boiler  failures  due  to  explosions  is 
3.4.  Using  this  percentage  with  the  total  failure  rate  of  ma¬ 
rine  boilers  from  the  ARINC  data,  the  expected  marine  boiler 
explosions  per  million  operating  hours  is  27.6.  To  convert  this 
into  expected  explosions  per  commercial  steam  vessel  with  two 
boilers,  it  is  first  assumed  boiler  usage  on  average  is  1.5  per 
day.  This  gives  an  accumulated  usage  of  13,140  operating  hours 
per  year  per  ship.  Dividing  the  13,140  expected  boiler  operat¬ 
ing  hours  per  year  into  the  MTBF  for  boiler  explosions  of  36,232 
hours,  <i.e.,  the  reciprocal  of  the  27.6  failures  per  million 
hours),  gives  an  expected  rate  for  boiler  explosions  of  one 
every  2.76  ship-years.  Although  this  is  relatively  infrequent, 
it  is  still  frequent  enough  that  it  should  be  a  major  concern  in 
the  design  and  operation  of  automated  propulsion  control  sys¬ 
tems.  This  is  especially  true  in  view  of  the  possibility  of 
extreme  damage  to  the  propulsion  system  and,  as  indicated  in 
Table  IV-11,  the  possibilities  of  injuries  or  deaths  to  crew 
members. 
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TABLE  IV- 10 


Log  #508,  ARINC  Report;  Boiler  Failures  Based  3M  Data; 


Mean  Time  Between 

Failure, 

Forced  Shutdown 

Ship 

Number  of 

Total 

MTBF 

Class 

Failures 

Hours 

(Hours ) 

1 

86 

66,261 

728 

2 

43 

85,982 

1,999.6 

3 

19 

220,262 

11,600 

4 

74 

134,280 

2,228 

5 

25 

66,261 

2,650 

247 

573,046 

2,320 

TABLE  IV- 11 

Accidents  Reported  by  National  Board  Members  and 
Other  Authorized  Inspection  Agencies 
(For  the  period  January  1,  1979-December  31,  1979) 


Number  of 

Percentage 

Number  of 

Number  of 

Accidents 

of  Accidents 

Injuries 

Deaths 

Tube  Rupture 

281 

23.1 

2 

Shell  Rupture 

33 

2.7 

1 

1 

Furnace  Explosions 

78 

6.4 

13 

1 

Flarebacks 

6 

0.4 

Low-Water  Failures 

404 

33.2 

Miscellaneous  Over¬ 

88 

7.2 

heating  Failures 
Piping  Failures 

68 

5.6 

14 

3 

Poor  Maintenance  of 

73 

6.0 

Controls 

Unsafe  Practice 

23 

1.9 

Construction-Code 

1 

0.1 

Violation  (Welds) 
Dry  Fired 

102 

8.4 

2 

Tube-Sheet  Crack 

61 

5.0 

Total 

1,218 

32 

5 
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B.  (l)(h)  Information  Received  from  Navy  Maintenance 

Material  Management  (3M)  System 

DOVAP  requested  a  special  data  run  from  the  Navy  3M  system 
on  automated  propulsion  control  systems  failures  that  had  been 
experienced  on  selected  Navy  ships.  Data  was  requested  on  16 
ships  which  were  known  to  have  various  levels  of  automation. 

The  time  period  requested  was  from  January  1981  through  June 
1982,  or,  a  total  of  288  ship  months  of  data.  Although  this  is 
probably  the  best  data  obtainable  for  substantiating  predicted 
values,  there  are  some  limitations  to  the  data,  as  follows. 

Failure  rates  for  individual  component  types  cannot  be 
computed  because  the  quantities  per  systems  are  not  known.  In 
general,  the  complexity  of  the  systems  is  considerably  less  than 
that  of  commercial  systems.  The  data  provided  is  for  replace¬ 
ment  parts,  and  it  is  assumed  that  the  majority  of  the  parts  are 
requested  because  of  failures.  In  compiling  the  statistics, 
expendable  parts  and  materials  were  not  accounted  for,  such  as 
lamps  and  individual  electronic  parts  (transistors,  diodes, 
etc. ). 

The  Equipment  Identification  Codes  (EIC's)  requested  were 
for  all  failures  recorded  for  automation  control  room  compo¬ 
nents.  No  data  was  received  related  to  valves,  valve  actuators, 
pneumatics  and  other  hardware.  It  appears  that  the  data  in¬ 
cluded  in  this  EIC  classifies tin  is  only  for  the  control  room 
electronic  and  associated  field  sensors.  It  is  assumed  that  the 
printed  circuit  card  failure  rate  is  somewhat  larger  than  the 
replacement  rate  because  of  the  capability  of  the  Navy  to  repair 
some  circuit  cards  on-board.  For  the  calculation  of  overall 
failure  rates,  DOVAP  assumed  that  the  equipment  is  on  constant¬ 
ly,  that  is,  730  hours  per  month. 

The  ships  covered  in  this  study  are  presented  in  Table 
IV- 12  and  the  summary  data  itself  in  Table  IV- 13.  The  summary 
shows  that  the  Navy  ships  experience  a  failure  every  1.6  months, 
for  a  mean  time  between  failure  of  456  hours  (assuming  730  hours 
of  operation  per  month).  The  top  three  contributors  are:  (1) 
switches,  with  a  failure  rate  of  .69  per  month?  (2) 
transducers/sensors  at  .48  failures  per  month;  and  (3)  printed 
circuit  cards  with  0.19  failures  per  month.  It  is  interesting 
to  note  that  the  switch  failure  rate  is  significantly  higher 
than  that  for  transducers  and  sensors.  To  date,  much  of  the 
literature  has  emphasized  the  problems  with  transducers/ sensors 
and  relatively  few  documents  note  extensive  problems  with 
switches.  Because  switch  problems  can  be  just  as  critical  as 
those  of  transducers/ sensors,  the  application  of  switches  should 
be  scrutinized  as  severely  as  sensors  and  transducers. 

Within  the  limitations  cited  above,  there  is  a  relatively 
close  correlation  between  the  predicted  values  from  the  DOVAP 
study  and  those  from  the  3M  data. 
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TABLE  IV- 12 


Ships  Covered  in  3M  Special  Data  Run 


JANUARY  1981  -  JUNE  1982 


AO- 17 7 

uss 

Cimarron 

AO- 17 8 

uss 

Menongahela 

AO- 17 9 

uss 

Merrimack 

LKA-113 

uss 

Charleston 

LKA-114 

uss 

Durham 

LKA-115 

uss 

Mobile 

LKA-116 

uss 

Saint  Louis 
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TABLE  IV- 13 


Summary  Of  Data  Prom  Navy  3M  System 


Overall  MTBF  *  456  Hours 


Type 

Class 

Total 

Total 

1) 

Switches 

199 

2) 

Transducers/Sensors 

139 

RTD 

69 

Transducers 

11 

Sensors 

6 

Pressure  Transmitter 

2 

Pick  Up 

1 

ARC  Probe 

30 

Probe 

3 

Transmitter 

5  . 

Level  Indicator 

e 

Flow  Transmitter 

i 

Pressure  Transducer 

4 

Diff  Pressure  unit 

1 

3) 

P.C.  Cards 

56 

4) 

Indicators 

29 

5) 

Amplif iers 

17 

6  ) 

Ignitors 

6 

7} 

Meters 

5 

8) 

Alarms 

3 

9) 

Tachometers 

3 

10) 

Buzzer/Siren/Horn 

3 

11) 

Supply 

3 

Failures 
Per  Ship 
Per  Month 

0.69 

0.48 


0.19 

0.10 

0.06 

0.02 

0.02 

0.01 

0.01 

0.01 

0.01 


TOTAL 


463 


1.60 


B.(2>  R&M  Qualitative  Data 


About  sixty  documents  reviewed  during  Task  I  literature 
survey  contain  qualitative  R&M  data  of  some  type.  This  ranges 
from  complete  methodology  papers  to  detailed  descriptions  of 
problems  incurred  in  service,  to  "nuggets"  which  cite  a  par¬ 
ticular  failure  mode,  trend,  reliability  design  precaution,  or 
the  like.  The  major  findings  and  conclusions  in  the  area  of 
qualitative  R&M  data  can  be  summarized  as  follows: 

B.(2)(a)  Failure  Modes  and  In-Service  Experience:  These  two 
areas  are  related  because  in-service  experience  quite  often 
involves  detection  and/or  correction  of  failure  modes.  A 
considerable  amount  of  data  is  provided.  This  includes: 

a)  There  is  general  concensus  that  sensors  appear  to 
present  one  of  the  biggest  "inherent"  reliability 
problems . 

b)  Many  premature  failures  occur  in  automation  sys¬ 
tems,  and  a  large  percentage  of  these  stem  from 
shipyard  installation.  Many  wiring  error  problems 
were  cited.  Also,  many  operational  problems  with 
pneumatic  and  hydraulic  systems  were  encountered 
due  to  dirt,  moisture  and  leaks  induced  during 
construction.  One  study  (Log  #026)  reports  a  cor¬ 
relation  between  achieved  reliability  and  the  ship¬ 
yard  constructing  the  vessel.  The  author  attri¬ 
butes  this  to  the  quality  control  (or  lack  thereof) 
exercised  during  manufacture  and  installation. 

c)  Several  papers  report  that  “small"  items  (sensor, 
remote  valve  operators,  limit  switches,  etc.)  cause 
more  problems  than  does  major  machinery.  One 
paper,  however,  (Log  #053)  reports  that  there  are 
indications  that  machinery  faults  prevent 
unattended  engine  room  operation  more  often  than 
control  and  instrumentation  faults. 

B.(2)(b)  R&M  Methodology:  Several  documents  describe 
methodologies  for  reliability  and  maintainability  analyses. 

Some  of  these  tend  to  be  overly  tutorial,  or  else  too  specific 
for  general  application.  Only  one  document,  Log  #070,  which  is 
in  textbook  format,  was  found  that  could  be  utilized  effectively 
by  someone  without  an  extensive  R&M  background. 

B.(2)(c)  Maintenance  Practices:  Most  of  the  documents  that 
dealt  with  maintenance  practices  were  developed  for  the  Navy, 
but  all  documents  that  addressed  this  topic  cited  the 
correlation  between  good  maintenance  practices  and  good 
reliability.  Only  five  formal  maintenance  systems,  other  than 
Navy  systems,  were  reported.  One  of  these  was  the  system 
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evaluated  on  the  M. V.  Sugar  Islander. 

The  Sugar  Islander  "system"  consisted  of  a  program  of 
scheduled  maintenance  and  reporting,  with  emphasis  on  preventa¬ 
tive  maintenance.  It  is  reported  that  this  system  reduced 
costs,  permitted  better  inventory  control,  and  facilitated  the 
detection  of  impending  failures. 

In  all  these  documents,  there  was  general  agreement  that 
with  engine  room  automation,  watchstanders  could  devote  more 
time  to  maintenance.  It  was  not  conclusive,  however,  that  this 
time  was  used  for  preventative  maintenance.  Several  papers 
reported  that  the  automation  system  itself  required  considerable 
maintenance,  with  one  paper  reporting  that  this  required  two  to 
six  hours  per  day  for  testing,  adjustments,  and  servicing. 

Also,  wth  steam  systems,  it  appears  that  a  considerable  amount 
of  time  is  spent  "fine  tuning"  the  system.  Several  papers  point 
out  that  when  done  properly,  this  reduces  operating  costs.  It 
was  also  pointed  out  that  this  increases  reliability.  (For 
example,  burning  with  low  excess  air  improves  the  boiler 
operating  environment. ) 

B.(2)(d)  Design  Approaches  for  Reliability:  A  number  of  papers 
at  least  touched  on  this  subject.  These  primarily  dealt  with 
redundancy  provisions,  back-up  power  supplies,  sensor  mounting 
approaches,  etc.  Conflicting  views  were  given  with  respect  to 
the  reliability  of  signal  multiplexing  onto  a  single  cable 
versus  individual  signal  cables.  All  in  all,  however,  the  few 
in-depth  treatments  of  this  subject  were  primarily  Navy-related. 


9.(3)  Maritime  R&M  Status  Information 

Four  documents  contain  specific  information  on  the  status 
of  R&M  in  the  maritime  industry;  a  number  of  other  documents 
make  points  related  to  this  topic.  The  most  comprehensive 
document  reports  on  a  study  of  maritime  R&M  status  done  for 
Mar Ad  (Log  #116).  This  study  was  done  in  1976,  and  nothing 
comprehensive  and  more  recent  was  found  during  this  literature 
search.  This  document  concludes  that  (1)  an  R&M  program  is 
needed  in  the  maritime  industry,  (2)  an  R&M  data  base  is  needed, 
and  (3)  that  more  attention  should  be  devoted  to  environmental 
factors.  DOVAP  feels  that  this  document  and  its  conclusions  are 
still  valid. 

In  1977,  a  study  was  conducted  for  MarAd  to  initiate  an  R&M 
program  (Log  #047).  The  study  reported  in  Log  #047  was  the 
first  phase  of  the  program,  and  recommended  three  subsequent 
phases,  viz  (1)  development  of  a  pilot  program,  (2) 
implementation  of  the  pilot  program,  and  (3)  implementation  of 
the  continuing  program.  No  subsequent  information  concerning 
the  fate  uf  this  program  was  found  during  this  literature 
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corrective  maintenance. 


as  fast  as  the  existing  technology.  This  could  be  due  to 
owners/operators  feeling  that  state-of-the-art  controls  are  not 
cost  effective. 


The  literature  search  indicates  definitely  that  the  cost 
effectiveness  of  computer  systems  has  not  been  established.  This 
is  because,  in  part,  standardization  of  computer  systems  is 
difficult,  and  software  is  a  high  risk  and  costly  item.  A  few 


papers  recommend  that  software  be  developed  concurrently  with 
the  hardware,  but  overall,  software  considerations  were 
conspicuous  by  their  absence. 

Some  on-board  computers  have  exhibited  excellent 
availability  {up  to  99  percent).  This  is  attributed  to 
redundancy  provisions,  self-check  features,  adequate  spares 
available  for  repair,  and  modular  design  approaches  for  ease  of 
component  replacement.  Other  features  cited  a3  desirable 
include  provisions  for  system  check-out,  adequate  diagnostic 
routines,  "fail  gracefully*  system  architecture,  and  immediate 
failure  response  to  protect  against  secondary  failures. 

In  the  area  of  instrumentation,  sensors  are  cited  as  a 
major  "weak  link"  in  system  reliability.  Some  sensor  problems 
are  due  to  poor  application,  primarily  in  that  the  sensors  were 
not  developed  for  marine  use.  Other  problems  are  due  to  poor 
installation  (workmanship)  and  poor  maintenance. 

A  "learning  curve*  in  the  operation  of  automated  systems  is 
readily  apparent.  False  alarms  are  reported  to  be  a  big  problem 
during  the  first  two  years  of  operation.  It  is  also  reported 
that  the  frequency  of  alarms,  both  real  and  false,  decreases 
over  the  first  two  years.  One  study  shows  that  after  a  "steady 
state"  is  reached,  there  is  an  average  of  one  real  alarm  every 
three  days  and  three  false  alarms  per  month.  Another  document 
reports  that  after  de-bugging,  alarms  are  rare,  and  0 that  alarms 
at  night  on  the  order  of  one  per  month,  or  "less,  are  not 
unusual . 

Most  documents  do  not  address  the  consequences  of  alarms, 
e.g.,  the  downtime  due  to  real  and  false  alarms,  the  time  spent 
switched  over  to  manual,  whether  the  cause  of  the  alarm  was 
corrected  through  repair  or  fine  tuning  the  system,  etc.  The 
need  for  better  and  more  frequent  sensor  and  systems  checks  is 
cited. 


B.(6)  Spare  Parts  Assessments 

About  ten.  documents  discuss  spare  parts  provisioning  or 
assess  spare  parts  policies.  These  documents  generally  concur 
that  provisioning  policies  are  ineffective  and  haphazard,  and 
that  the  shipboard  spares  status  is  generally  unknown.  A 
particularly  comprehensive  assessment  of  spares  policies  (Log 
#005)  reports  that  spare  parts  provisioning  levels  were  based  on 
subjective  experience  which  tended,  in  many  cases,  to  be  greatly 
influenced  by  recent  equipment  failures.  This  document  also 
reports  that  in  spite  of  poor  spares  policies  there  were  few 
sailing  delays  due  to  temporary  repairs,  loans,  and 
substitutions,  and  because  suppliers  often  maintained  depots  in 
key  areas.  Another  document  (Log  #011),  however,  reports  that 
sections  of  automation  systems  were  out  of  service  for  months 
due  to  lack  of  spare  parts.  Also,  one  of  the  contributing 


factors  cited  in  the  investigation  of  the  ramming  of  the  Lorenzo 
D’Amico  by  the  China  Sea  (Log  #007)  was  lack  of  spare  parts  for 
the  engine  control  system. 


S. (7 )  Regulations/Requirements 

About  ten  documents  provide  information  on  mandatory  and 
non-mandatory  regulations  and  requirements.  These  include  the 
regulations  documents  themselves,  such  as  the  (JSCG  "Navigation 
and  Vessel  Inspection  Circular  No.  1-69,  Subject:  Automated 
Main  and  Auxiliary  Machinery,"  the  ABS  Rules  for  Building  and 
Classing  Steel  Vessels,  MarAd  standard  specifications,  and  the 
IEEE  Recommended  Practices  for  Shipboard  Installations.  They 
also  include  a  few  papers  that  discuss  the  regulations. 

None  of  these  regulations/requireraents  specify  quantitative 
R&M  provisons.  Numerous  qualitative  requirements  to  enhance  R&M 
are  in  evidence  throughout  all  of  them.  There  is  some  overlap 
in  qualitative  requirements  among  these  various  documents , but  in 
many  cases  each  document  specifies  requirements  that  the  others 
do  not  cover. 

Each  document  contains  specifications  for  the  operating 
environment  the  equipment  must  withstand.  This  includes 
temperature,  shock,  vibration,  acceleration,  etc.  The 
requirements  vary  from  document  to  document  as  illustrated  in 
Table  IV- 14. 


B. (8)  Environmental  Information 

About  thirty  documents  provide  environmental  information  of 
various  types.  The  subjects  covered  include  vibration, 
materials  compatibility,  corrosion,  shipboard  EMI,  and  the 
shipyard  environment.  Other  documents  also  cite  various  aspects 
of  the  shipboard  environment,  ranging  from  dust  (grain  ships)  to 
vapors  and  battery  fumes,  and  even  to  spilled  beer. 

In  the  areas  of  vibration  and  materials  compatibility,  the 
emphasis  is  almost  entirely  on  hulls  and  structures.  Except  for 
an  occasional  mention,  such  as  the  need  for  shock  mounts  or  the 
need  to  protect  dissimilar  mating  materials,  considerations  in 
these  areas  for  automation  equipment  were  conspicuous  by  their 
absence. 

Vibration  is  recognized  as  a  big  problem,  especially  in 
recently  built  ships,  but  its  relationship  to  reliability,  in 
general,  does  not  seem  to  have  received  much  attention.  One 
document  (Log  #029)  summarizes  the  state  of  the  art  of  vibration 
analysis  and  prevention,  and  points  out  that  there  are 
controversy  and  conflicting  views,  and  that  a  major,  long-range 
effort  is  still  required  to  fully  understand  the  underlying 
phenomena  and  provide  design  tools.  There  is  general  agreement 
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that  vibration  is  a  function  of  many  variables  (such  as  ship 
speed),  and  that  vibration  levels  for  a  particular  ship  often 
remain  unknown  prior  to  actual  operation. 


In  the  area  of  corrosion,  several  papers  point  out  that 
electrical/electronic  components  used  on  board  a  ship  may  not 
have  been  designed  for  the  marine  environment.  Protective 
measures  recommended  include  use  of  hermetically  sealed  or 
conformal  coated  electronics  components,  use  of  moisture  proof 
connectors,  plating  of  metal  parts,  etc. 

Shipboard  EMI  is  another  area  recognized  as  a  big  problem. 
One  paper  (log  #021)  reports  that  transients  as  high  as  600  to 
700  volts  have  been  measured  on  common  supply  lines.  Another 
paper  (Log  #034)  reports  extensive  problems  due  to  electronic 
components  being  damaged  by  electrostatic  discharge,  even  in  the 
high  humidity  of  the  shipboard  environment.  Several  other 
papers  report  high  RFI  and  EMI  in  engine  rooms  and  on  bridges. 
Still,  few  practical  approaches  to  the  control  or  prevention  of 
EMI  are  discussed  except  for  recommendations  in  Log  Numbers  021 
and  034.  The  regulations/ requirements  documents  specify  some 
provisions,  such  as  grounding,  use  of  twisted  pairs  in  certain 
cases,  etc.  It  is  not  clear  that  these  are  specific  and 
in-depth  enough,  however,  for  the  modern,  shipboard  electronic 
environment. 

The  effect  of  the  shipyard  environment  on  reliability  was 
discussed  in  SectionB(2 ) (a)  above,  where  it  was  pointed  out  that 
many  premature  failures  in  automation  systems  stem  from  shipyard 
installation.  One  paper  (Log  #026)  reports  a  direct  correlation 
between  the  shipyard  constructing  the  vessel  and  the  vessel's 
casualty  rate.  Several  papers  cite  "dirty"  shipyard  conditions 
as  the  cause  for  later  reliability  degradation. 


B.  (9 )  Other 

Several  topics  are  included  under  this  heading  and  are 
discussed  below. 


B.(9)(a)  Condition  Monitoring/Failure  Prognosis:  Ten  documents 
were  obtained  (out  of  many  available)  on  this  subject.  Two  of 
these  (Log  #058  and  #112)  described  VIDEC,  the  vibration  and 
thermal  analysis  system  evaluated  aboard  the  S.S.  President 
Johnson.  Other  documents  describe  new  trends  or  applications  of 
existing  conditon  monitoring  approaches.  Two  documents  report 
"successes";  one  (Log  #054)  with  the  Navy's  use 
lube  oil  analysis,  and  another  (Log  |028)  with 
equipment  vibration  surveys. 


of  ferrographic 
pre-dry  dock 


Overall,  this  area  appears  to  still  be  in  its  infancy,  and 
reports  generally  seem  inconclusive  as  to  the  benefits  of 
condition  monitoring.  Each  system  is  unique  in  terras  of  the 
signatures  it  generates  for  use  in  condition  monitoring,  and  it 
can  take  years  to  reach  a  steady  state  condition.  In  addition, 
most  equipment  tends  to  degrade  with  time,  and  the  ship 
vibration  spectrum  can  also  be  constantly  changing.  Such 
factors  as  these  create  problems  with  establishing  a  baseline 
for  accept/reject  failure  prognosis  criteria. 


B. (9 ) { b )  Data  Bases;  Seven  documents  discuss  this  topic,  and 
there  is  agreement  that  except  for  Navy  data,  existing  D. S. 
maritime  data  bases  are  noe  adequate  for  reliability  and 
maintainability  quantitative  evaluations.  Existing  non-Navy 
data  bases,  such  as  those  maintained  by  MarAd  and  the  (J.S.C.G., 
do  not  provide  operating  time,  reports  on  all  equipment  that 
failed,  nor  the  number  of  equipments  that  did  not  fail.  One 
document  reports  that  the  private  sector  often  considers  their 
data  proprietary.  To  overcome  such  problems,  and  to  permit 
numerical  evaluations  based  on  actual,  operational  data,  many 
documents  cite  the  need  for  a  standard,  R&M  reporting  system. 


B.  <9  Me)  Crew  Skills/Training;  About  fifteen  documents 
specifically  address  crew  skills  and/or  training,  and  a  large 
percentage  of  all  documents  make  some  reference  to  this  area. 
DOVAP  noted  that  often  the  need  for  better  training  was  used  as 
a  sort  of  “cure  all*  conclusion,  and  that  there  was  little 
further  discussion  as  to  the  specific  training  needed. 

One  document  generated  for  the  Navy  pinpointed  a  problem 
due  to  the  lack  of  analog  troubleshooting  skills,  and 
recommended  training  in  this  area.  Less  specific 
recommendations  in  other  documents  involve  the  use  of  training 
simulators,  union  schools,  and  on-board  cassettes  and  video 
tapes . 

There  is  general  agreement  that  human  factors  in  the 
maritime  industry  need  attention.  One  study  reported  that  25 
percent  of  all  control  system  adjustment  or  calibration  problems 
were  caused  by  the  crew.  Several  papers  reported  that 
maintaining  and  troubleshooting  an  automation  system  were  beyond 
the  capabilities  of  the  crew.  A  reason  given  for  this  vas  that 
the  uniqueness  of  each  system  and  the  crew  turnover  rate  did  not 
permit  personnel  to  become  familiar  enough  with  the  equipment. 

A  few  papers  recommended  that  an  "electro- technician*  be  added 
to  the  regular  on-board  crew. 

The  Marit.;  -e  Transportation  Research  Board  recently 
identified  crii  ral  issues  in  need  of  examination  (Log  #Q68). 

Due  to  the  increase  in  vessel  accidents  of  all  types,  one  of 
these  issues  was  maritime  safety.  The  Board  stated  that 
extensive  efforts  have  been  taken  to  alleviate  this  problem,  and 


that  the  emphasis  has  been  on  physical  solutions  (design, 
construction,  etc.).  It  is  pointed  out  that  the  most  serious 
aspect  of  the  safety  problem  involves  people.  The  nebulous 
nature  of  the  problems  to  be  solved  is  also  pointed  out,  and  the 
urgent  need  for  research  on  personnel  is  cited. 

B.(9)(d)  Suppor*.  Equipment/Documentation:  This  category 
involves  the  "back  up"  required  to  operate  an  automation  system 
and  keep  it  running,  and  includes  test  equipment,  maintenance 
manuals,  troubleshooting  procedures,  and  the  like.  Six 
documents  were  found  which  made  reference  to  this  area,  but 
overall,  these  subjects  were  conspicuous  by  tbair  absence. 

The  need  for  better  fault  isolation  ard  check-out 
procedures  was  cited,  as  was  the  need  for  adequate  test  points 
on  printed  circuit  boards.  One  paper  describing  experience  with 
a  computer-based  system  reported  that  diagnostic  tapes  were 
available,  but  that  when  the  computer  malfunctioned  it  was  not 
possible  to  read- in  the  tapes.  Another  reoorted  high 
availability  of  a  computer  system,  with  one  of  the  reasons  being 
that  problem;;  had  not  occurred  which  precluded  reading- in  of  the 
diagnostic  tapes. 

The  literature  search  indicates  to  DOVA?  that  this  is  an 
overlooked  area,  and  is  in  need  of  attention.  While  often 
simply  a  nuisance  or  shortcoming,  lack  of  adequate  support 
equipment  and  documentation  can  lead  to  a  hazardous  situation. 
One  of  the  contributing  factors  cited  in  the  ramming  of  the 
Lorenzo  D'Amico  by  the  China  Sea  (Log  #007  )  was  lack  of 
troubleshooting  and  repair  procedures  for  the  engine  control 
system. 
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V.  CONTROL  SYSTEMS  SELECTED  FOR  REVIEW 


During  Taste  II,  the  engine  room  automation  systems  on  two 
steam  vessels  and  one  diesel  vessel  were  analyzed.  For  these 
analyses,  three  major  overall  criteria  were  established. 

The  first  major  overall  criteria  of  the  study  was  that  the 
systems  evaluated  represent  different  technological  approaches. 
To  this  end,  the  Coast  Guard  selected  the  particular  vessels  to 
be  analyzed  from  a  candidate  list  of  vessels  developed  by  DOVAP. 

The  second  major  overall  criteria  was  that  each  system  be 
evaluated  to  the  same  depth  of  detail.  To  accomplish  this, 

DOVAP  obtained  documentation  that  would  permit  analysis  down  to 
the  detailed  circuit  level  on  all  three  systems.  This  documen¬ 
tation  consisted  of  circuit  schematics,  parts  lists,  wiring 
diagrams,  panel  layouts,  and  various  types  of  technical  manuals. 

The  third  major  criteria  involved  establishing  system 
boundaries,  or,  in  other  words,  defining  where  the  engine  room 
control  system  "stopped"  and  other  ship  systems  "began."  The 
ground  rule  applied  in  defining  these  boundaries  was  based  on 
whether  or  not  the  vessel  would  be  fitted-out  with  the  equipment 
in  question  if  it  did  not  have  an  automated  control  system. 

Based  on  this  ground  rule,  support  systems  such  as  ship's  elec¬ 
trical  power  and  control  air  were  deemed  not  a  part  of  the  sys¬ 
tems  to  be  evaluated  since  they  would  be  provided  on-board  re¬ 
gardless  of  whether  the  engine  room  was  automated.  Other  areas 
ruled  out  by  this  ground  rule  were  atomizing  steam,  gland  steam, 
pumps  (fuel  pumps,  lube  oil  pumps,  etc.),  and  valves  not  spe¬ 
cifically  required  by  the  automated  controls. 

In  the  subsections  that  follow,  the  vessels  and  their  con¬ 
trol  systems  selected  for  review  are  described.  Various  other 
aspects  of  study  coverage'  and  ground  rules  are  also  discussed 
for  each  of  the  three  vessels.  These  aspects  are  chose  that  are 
applicable  to  all  Task  II  reliability  analyses.  Aspects  unique 
to  a  particular  Task  II  effort  (e.9.,  predictions)  are  discussed 
in  the  section  devoted  to  that  particular  effort. 


A.  CONTROL  SYSTEMS  SELECTION  PROCESS. 

Considerable  effort  was  devoted  to  the  selection  of  the 
control  systems  that  would  be  investigated  during  the  s  idy. 
DOVAP  generated  a  list  of  candidate  systems  based  on  the  fol¬ 
lowing  criteria: 

a)  The  vessel  must  have  an  automated  propulsion  control 
system . 

b)  The  candidate  vessel  should  have  been  handed  over  to  the 
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owner/opecator  within  the  last  five  years.  This  was  to 
ensure  that  the  system  is  of  the  current  state  of  the 
art,  and  also  that  there  is  susbstantial  operating  time 
on  the  vessel. 

c)  The  vessel  i3  in  excess  of  1600DWT. 

d)  The  vessel  has  been  operated  beyond  the  various  warranty 
periods. 

e)  The  vessel  is  a  U.S.  flag. 

f)  The  control  system  is  produced  by  a  U.S.  manufacturer 

g)  Sufficient  documentation  on  the  vessel  is  available  for 
analysis  during  the  study  period. 


The  objective  of  this  portion  of  the  study  was  to  provide 
a  candidate  list  to  the  Coast  Guard  based  on  the  above  criteria. 
The  final  selection  of  the  systems  was  made  by  the  Coast  Guard 
during  the  first  workshop.  During  the  preliminary  investiga¬ 
tion,  shipyards  confirmed  that  the  types  of  control  and  moni¬ 
toring  systems  installed  in  various  vessels  were  usually  defined 
in  the  initial  ship  specifications.  The  ship  yard,  in  turn, 
obtained  bids  from  various  control  system  manufacturers,  and 
based  the  selection  of  the  control  system  subcontractor  upon 
these,  bids.  In  3ome  cases  control  system  manufacturers  had  been 
able  to  have  their  systems  defined  within  the  body  of  the  spec¬ 
ifications.  The  investigation  also  revealed  that  the  number  of 
companies  offering  complete  systems  of  their  own  design  is 
limited. 

Based  on  the  process  just  described,  three  vessels  were 
selected  for  analysis.  Two  of  them  (Ships  A  and  B)  are 
steam-driven,  and  one  (Ship  C)  is  diesel. 


a.  SHIP  A  CHARACTERISTICS,  COVERAGE  AND  GROUND  RULES 
8.(1)  Ship  A  Characteristics 

Ship  A  is  a  165,000  DWT  turbine  tanker,  and  is  one  of  six 
ships  of  its  class.  It  was  delivered  in  the  summer  of  1979. 

Its  regular  trade  route  takes  it  from  tropical  to  subartic  re¬ 
gions,  with  each  voyage  taking  about  one  month.  Most  of  each 
voyage  is  spent  in  the  full  ahead  cruise  mode,  with  maneuvering 
requiring  roughly  15  hours  per  voyage. 

It  has  two  boilers,  with  three  burners  per  boiler.  A 
twc-man  engine  room  watch  is  maintained  at  all  times. 

Ship  A  contains  two  essentially  separate  automation  systems 
with  only  a  small  amount  of  interfacing  between  them.  These 
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were  built  by  two  different  manufacturers,  and  one  system  pro¬ 
vides  automatic  boiler  and  combustion  control  while  the  other 
provides  turbine  speed  and  direction  control.  Each  system  has 
two  manual  back-up  modes. 


B.(2)  Ship  A  Boiler  and  Combustion  Control  Characteristics 

The  boiler  and  combustion  control  system  on  Ship  A  is  based 
on  a  hybrid  digi tal-electronic/pneumatic  approach.  The  purge 
and  light-off  sequence,  boiler  and  burner  trip  control,  and  the 
alarm/ annunciator  system  are  implemented  with  digital  logic. 
Pneumatic  control  loops  are  provided  for  such  parameters  as 
superheated  steam  temperature,  fuel  oil  and  combustion  air  flow, 
fuel  oil  temperature,  etc.  Some  relay  logic  is  used  for  feed¬ 
pump  control  and  automatic  burner  sequencing.  In  addition,  the 
manual  back-up  boiler  front  panel  is  extensively  implemented 
with  relay-based  control.  Essentially  no  electronic  analog 
controls  are  utilized. 

Automatic  sequencing  of  a  boiler's  three  burners  allows 
selection  of  a  base  burner,  which  remains  lit,  and  automatic 
on/off  control  of  the  other  two  burners  to  match  increases  or 
decreases  in  steam  demand. 

Boiler  and  combustion  control  can  be  exercised  in  three 
ways.  In  the  automatic  mode,  control  is  from  the  engine  room 
console  (ERC ) ,  which  provides  completely  automatic  sequencing 
and  safety  shutdown.  In  the  manual  back-up  mode,  control  is 
from  the  boiler  front  panel.  This  mode  provides  complete  boiler 
control  but  contains  no  boiler  safety  or  trip  features.  The 
third  mode  is  totally  manual  and  requires  manual  opening/closing 
of  valves,  inserting/retracting  of  ignitors,  etc.  There  are  no 
provisions  for  boiler  or  combustion  control  from  the  bridge. 

Four  conditions  cause  a  boiler  trip  in  the  automatic  mode, 
namely: 

a)  Boiler  drum  level  below  low- low 

b)  Loss  of  combustion  air  (fan  fail) 

c)  Purge  or  light-off  sequence  fail 

d)  Burner  trip  (burner  valve  open  and  no  flame) 

Any  of  these  trip  conditions  causes  the  boiler  master  fuel  oil 
valve  to  close.  In  addition,  light-oft  is  inhibited  if  any  of 
these  conditions  exist. 

There  are  two  identical  sets  of  boiler  controls,  one  for 
boiler  #1  and  ona  for  boiler  #2.  In  addition  to  the  actual 
control  devices,  a  number  of  alarm/annunciators  is  provided  for 
both  boilers. 
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B.{3)  Ship  A  Turbine  Speed  and  Direction  Control 

Characteristics 

Ship  A*s  automatic  turbine  speed  and  direction  control  is 
based  on  a  classical,  feedback  servo  loop.  Signals  from  the 
bridge  or  engine  room  throttle  lever  are  compared  with  the  ac¬ 
tual  positions  of  the  ahead  and  astern  steam  valves.  A  signal 
proportional  to  the  error  between  the  commanded  and  actual  po¬ 
sitions  is  thus  continuously  generated.  This  error  signal 
drives  a  slide  block  in  a  hydraulic  manifold  such  that  the  req¬ 
uisite  hydraulic  pressure  is  applied  to  increase  or  decrease  the 
opening  of  the  turbine  ahead  or  astern  steam  inlet  valves. 

The  feedback  servo  loop  extensively  utilizes 
electronic-analog  circuitry.  The  hydraulic  portion  of  the  sys¬ 
tem  is  based  on  a  variable  displacement  hydraulic  pump. 

Two  manual  back-up  modes  are  available.  First,  a  manual 
hydraulic  handpurap  is  provided  so  that  hydraulic  pressure  can  be 
maintained  in  event  of  failure  of  the  variable  displacement  pump 
unit.  In  the  handpump  mode,  there  are  also  manual  provisions 
for  opening/closing  the  turbine  steam  valves.  This  is  accom¬ 
plished  through  an  ahead/astern  selector  switch  coupled  with  a 
manual  control  valve  for  adjusting  opening/closing  rates  for  the 
turbine  steam  valves.  This  latter  provision  enables  manual 
speed  and  direction  control  in  event  of  failure  of  the  automatic 
servo  control  loop. 

In  the  second  manual  back-up  mode,  speed  and  direction 
control  is  achieved  by  direct,  manual  operation  of  the  turbine 
steam  valves  via  their  valve  spindles.  This  operating  mode 
would  be  used  in  event  of  complete  failure  of  the  hydraulic 
system. 

In  the  automatic  operating  mode,  nine  conditions  can  cause 
a  turbine  trip,  namely: 

a)  Turbine  lube  oil  pressure  low 

b)  Turbine  vibration  high 

c)  Condenser  level  high/low 

d)  Boiler  steam  pressure  low 
e5  Turbine  overspeed 

f )  Turbine  steam  valve  overtravel 

g5  Boiler  drum  level  high 

h;  No  auto  rollover  when  throttle  at  stop 
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i)  Hand  turning  gear  engaged  in  auto  mode 

Any  of  these  trip  conditions,  as  well  as  manual  depression  of 
the  trip  pushbutton,  cause  the  turbine  steam  valves  to  close. 

The  only  interfaces  between  the  boiler  control  and  turbine  con¬ 
trol  systems  consist  of  the  boiler  steam  pressure  and  drum  level 
signals  needed  for  the  above  trips.  There  are  no  turbine  trip 
provisions  in  the  manual  modes. 

As  indicated  above,  automatic  turbine  control  can  be  exer¬ 
cised  from  either  the  engine  room  or  bridge,  depending  on  which 
location  is  in  control.  Control  location  selection  switches  and 
indicators  are  provided  on  both  the  bridge  and  engine  room  con¬ 
soles,  as  are  turbine  trip  pushbutton  switches. 

An  extensive  turbine  alarm/indicator  array  is  mounted  on 
the  engine  room  console.  Four  turbine  system  alarm  indicators 
are  mounted  on  the  bridge  console,  namely: 

a)  Throttle  control  manual  trip 

b)  Shaft  stopped 

c)  Throttle  control  off  normal 

d)  Throttle  control  hydraulic  pump  failed 


B .  { 4  )•  Ship  A  Coverage  and  Ground  Rules 

The  Task  II  analyses  of  Ship  A  covered  air  automatic  con¬ 
trols  for  the  boilers,  steam  plant,  and  turbine.  This  coverage 
extended  down  to  the  part  level  (e.g.,  integrated  circuit  gates 
and  flip-flops,  relays,  pneumatic  control  valves,  etc.). 

Parts  were  grouped  functionally  for  analysis  where  the 
parts  within  the  group  exhibited  the  same  failure  effects.  For 
instance,  the  electronic  parts  constituting  a  solenoid  driver 
were  combined  into  a  solenoid  driver  functional  grouping  on  the 
basis  that  the  failures  of  any  of  these  parts  would  cause  the 
solenoid  driver  to  either  stay  active  or  stay  inactive. 

All  electronic  parts  were  assumed  to  be  constantly  powered. 
Also,  it  was  assumed  that  no  preventative  maintenance  is  possi¬ 
ble  for  electronic  parts.  Both  these  assumptions  are  realistic. 

The  analyses  covered  only  hardware  needed  for  automatic 
operation.  Manual  back-up  provisions  were  not  specifically 
considered  although  they  were  evaluated  and  included  in  two 
cases.  These  cases  are  (1)  where  failures  in  manual  back-up 
equipment  can  interfere  with  automatic  operations,  and  (2)  where 
specific  hardware  is  common  to  both  the  manual  and  automatic 
modes.  This  commonality  occurs  on  Ship  A  in  some  areas  of  the 
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boiler  front  panel  where  equipment  in  this  panel  serves  inter¬ 
face  functions  between  the  boiler  and  the  engine  room  console 
for  sensors  and  switching. 

Light  emitting  diodes  are  provided  on  many  electronic 
printed  circuit  cards  for  troubleshooting  purposes.  These  in¬ 
dicators  were  not  considered  in  the  analyses. 

The  ship’s  auxiliaries  were  not  considered.  These  were 
excluded  primarily  on  the  basis  of  the  overall  ground  rule  cited 
above  involving  whether  or  not  the  equipment  would  be  provided 
if  there  were  no  automation.  In  some  instances,  there  is  auto¬ 
mation  associated  with  the  auxiliaries  (alarms,  pump  off/on 
controls,  etc.).  In  these  instances,  however,  there  is  no  in¬ 
terface  of  any  type  with  the  propulsion  system  automation. 

On  Ship  A,  communications  equipment  ranges  from  the  ship's 
telephone  system  to  sound  powered  telephones  and  walkie-talkies. 
These  were  not  considered  during  the  analyses  because  the  over¬ 
all  communication  system  appeared  adequate  for  any  need  that 
might  arise  due  to  engine  room  automatic  control  failures. 

Finally,  the  engine  room  console  power  supplies  were  con¬ 
sidered  only  at  the  "black  box*  level  during  the  Task  II  analy¬ 
ses.  These  power  supplies  consist  of  two  redundant  units  for 
converting  the  ship’s  AC  power  to  the  DC  needed  by  the  controls. 
They  are  purchased  as  off-the-shelf  units  from  a  power  supply 
manufacturer.  They  were  considered  at  only  the  "black  box* 
level  for  two  reasons.  First,  since  they  are  redundant,  poten¬ 
tial  reliability  problems  should  have  been  minimized.  Second,  as 
off-the-shelf  units,  their  design  adequacy  should  have  been 
proven . 


C.  SHIP  8  CHARACTERISTICS,  COVERAGE  AND  GROUND  RULES 


C . ( 1 )  Ship  B  Characteristics 

Ship  B  is  a  39,990  DWT  turbine  tanker,  and  is  one  of  three 
ships  of  its  class.  It  was  delivered  in  September  of  1981,  Its 
regular  trade  routes  are  the  west  coasts  of  the  United  States 
and  Mexico.  Length  of  time  of  voyages  varies  from  three  to 
fourteen  days.  The  maneuvering  time  in  and  out  of  port  varies 
anywhere  from  two  hours  to  twenty  hours.  The  normal  watch  dur¬ 
ing  cruising  is  one  unlicensed  watchstander  and  one  engineer. 

The  vessel  contains  two  boilers  and  two  burners  per  boiler. 
During  maneuvering  and  normal  cruising  usually  both  boilers  and 
both  burners  are  on.  When  the  ship  is  tied  up,  usually  one 
burner  per  boiler  is  on. 
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Co (2)  Ship  B  Control  system  Characteristics. 

The  automated  controls  on  Ship  B  are  provided  by  two  major 
manufacturers.  One  supplies  the  controls  for  the  boiler  and  the 
majority  of  the  auxiliaries,  the  other  supplies  the  controls  for 
the  turbine.  The  turbine  controls  are  the  same  as  on  Ship  A. 

The  boiler  controls  and  auxiliary  controls  utilize  a  com¬ 
bination  of  analog  and  digital  electronic  circuits.  The  analog 
control  circuits  automatically  monitor  and  control  continuously 
changing  system  values.  Each  control  circuit  is  provided  with  a 
manual  automatic  station  or  selector  switch  to  permit  manual 
control  of  individual  valves  and  dampers  when  conditions  demand 
a  remote/manual  mode  of  operation. 

The  boiler  control  analog  circuits  covered  in  this  study 

are: 

a)  Deaerator  level  control. 

b)  Combustion  control. 

c)  Superheated  steam  temperature  control. 

d)  Peed  water  pump  differential  pressure  control. 

e)  Drum  level  control. 

f)  Peed  water  recirculation  valve  control. 

g)  Steam  dump  control. 

h)  Fuel  oil  temperature  control. 

i)  Fuel  oil  recirculation  control. 


Digital  controls  provide  on/off,  and  in  some  cases  auto¬ 
matic  sequencing  for  individual  pieces  of  equipment.  The  digi¬ 
tal  circuits  covered  in  this  study  are  as  follows: 

a)  Lube  oil  service  pump  switching. 

b)  Feed  pump  start/stop  circuits. 

c)  Burner  management  subsystem. 

The  digital  control  circuits  for  the  lube  oil  service  pumps 
and  the  feed  pumps  automatically  switch- in  the  standby  unit  upon 
primary  pump  shutdown.  The  burner  management  controls  provide 
automatic  light-off  and  the  safeguards  for  automatic  burner 
and/or  boiler  shutdown. 


C . (3  5  Ship  B  Coverage  and  Ground  Rules. 

The  study  coverage  and  ground  rules  applied  to  Ship  B  are 
the  same  as  those  for  Ship  A. 
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D.  SHIP  C  CHARACTERISTICS,  COVERAGE  AND  GROUND  RULES 
0.(1)  Ship  C  Characteristics 

Ship  C  is  a  27,500  DWT  twin-diesel  tanker  and  is  one  of 
nine  of  its  class.  It  was  delivered  in  1975.  It  is  chartered 
as  a  supply  ve'ssel,  and  operates  on  a  tramp  route  worldwide. 
Maneuvering  requires  roughly  20  hours  per  month,  with  the  re¬ 
mainder  of  the  time  spent  in  the  full  ahead  cruise  mode.  Its 
two  7,000  hp  diesels  drive  a  controllable  pitch  propeller  (CPP). 
Ship  electrical  power  is  from  a  generator  driven  by  the  main 
shaft. 

Ship  C's  automation  system  provides  both  engine  and  CPP 
control.  There  are  three  modes  of  operation:  (1)  cruise  mode  in 
which  the  engine  room  is  in  control  and  trims  shaft  speed  to 
meet  the  requirements  of  the  shaft  driven  generator;  (2)  ma¬ 
neuver  mode  in  which  either  the  bridge  or  engine  room  can  exer¬ 
cise  control  via  their  respective  throttle  levers;  and  (3)  split 
mode  in  which  the  engine  room  exercises  direct,  operator  control 
of  each  of  the  two  engines.  In  the  maneuver  mode,  the  engine 
room  normally  exercises  control  when  waterway  restrictions  dic¬ 
tate  quick  response.  When  such  rescrictions  do  not  exist,  the 
bridge  maintains  control  during  maneuvering.  A  local  control 
station  between  the  two  engines  two  levels  below  the  engine 
control  room  provides  manual  back-up  capability. 

A  one-man  engine  room  watch  is  maintained  during  normal 
cruising.  A  two-man  watch  is  provided  while  maneuvering. 

Ship  C's  control  system  consists  of  four  functional  areas. 
Each  of  these  is  discussed  below. 


D.(l)(a)  Station  m  Control 

Since  the  vessel  can  be  controlled  from  either  the  bridge, 
engine  room,  or  local  station,  "station  in  control"  logic  is 
provided.  This  logic  is  implemented  with  digital  electronics, 
and  performs  two  functions. 

The  first  function  is  to  control  and  sequence  transfers  of 
vessel  control  from  one  location  to  another.  The  second  func¬ 
tion  is  to  generate  the  "station  in  control"  signals  which  ena¬ 
ble  or  inhibit,  as  appropriate,  vessel  control  commands  from 
each  of  the  three  control  locations. 


D.(lHb)  Engine  and  Clutch  Control 

The  engine  and  clutch  control  function  is  primarily  imple¬ 
mented  with  digital  logic,  and  controls  stop/start  and 
clutch/declutch  of  each  engine.  A  number  of  permissives  are 
involved  in  these  processes.  For  instance,  engine  start  is 


inhibited  if  engine  lube!  oil  pressure  is  inadequate;  the  engine 
is  inhibited  from  being  clutched  in  until  it  has  come  up  to 
speed. 

This  control  area  also  provides  engine  safety  shutdowns. 
These  occur  if  any  one  of  the  following  eight  parameters  are 
out-of-limits: 

a)  Engine  lube  oil  pressure 

b)  Fuel  oil  pressure 

c)  Rocker  lube  oil  pressure 

d)  Jacket  water  pressure 

e)  Jacket  water  temperature 

f )  Injector  coolant  pressure 

g)  Injector  coolant  temperature 

h)  Reduction  gear  lube  oil  pressure 

A  manual  override  is  available  to  prevent  engine  shutdown  from 
any  of  these  eight  conditions.  A  ninth  shutdown 
condition — engine  overspeed — cannot  be  overridden. 


D.(l  He)  Mode  Control 

The  mode  control  function  utilizes  both  analog  and  digital 
circuitry  to  route  vessel  speed  and  direction  commands  from  the 
appropriate  controlling  device  (e.g.,  bridge  throttle  lever)  to 
the  pitch  and  engine  speed  controls.  The  initial  step  in  this 
routing  is  governed  by  the  setting  of  the  mode  switches,  i.e., 
cruise,  maneuver,  or  split  mode. 

Depending  on  the  mode  selected,  and  whether  one  or  both 
engines  are  on-line,  the  mode  control  logic  selects  an  appro¬ 
priate  function  generator  (e.g.,  1-engine  cruise  mode,  2-engine 
maneuver  mode,  etc.)  and  connects  it  via  relay  contacts  with  the 
output  of  the  controlling  device.  These  function  generators 
utilize  analog  circuitry  to  translate  the  signal  from  the  con¬ 
trolling  device  into  non-linear  functions  representing  operating 
curves  of  the  speed  and  direction  commands. 


D.(l)(d)  Pitch  Control 

Propeller  pitch  control  is  achieved  by  a  classical,  feed¬ 
back  servo  loop.  Pitch  command  signals  from  the  function  gen¬ 
erators  are  continuously  compared  to  a  signal  representing  ac¬ 
tual  pitch,  and  an  error  signal  is  generated.  The  error  signal 
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is  sent  to  the  CPP  where  it  is  utilised  by  a  hydraulic  unit  to 
effect  changes  in  propeller  pitch.  Pitch  control  circuitry  also 
controls  the  rate  at  which  pitch  is  changed. 

Propeller  pitch  control  is  primarily  implemented  with  ana¬ 
log  circuitry. 


D.<2)  Ship  C  Coverage  and  Ground  Rules 

The  Task  II  analyses  of  Ship  C  covered  all  engine  and  pitch 
controls.  This  includes  all  four  functional  areas  described 
above.  This  coverage  extended  down  to  the  part  level  {e.g., 
integrated  circuit  gates  and  flip-flops,  relays,  etc.). 

As  with  Ships  A  and  B,  parts  were  grouped  functionally  for 
analysis  where  the  parts  within  the  group  exhibited  the  same 
failure  effects.  For  instance,  the  parts  in  the  pitch  control 
summing  amplifier  were  considered  a  functional  grouping  because 
their  individual  failures  would  cause  either  loss  of  the  ampli¬ 
fier  output  or  a  constant,  incorrect  output. 

The  communications  system  on  Ship  C  was  not  considered.  It 
was  reported  to  be  extensive,  but  only  very  scanty  specific  data 
was  available  on  it,  so  its  adequacy  cannot  be  assessed. 

Ship  C 'has  a  microprocessor-based  bell  logger.  Since  this 
unit  is  used  strictly  for  bell  logging  and  does  not  have  an 
interface  with  propulsion  system  controls,  it  was  not  considered 
in  the  analyses. 


VI. 


FAILURE  RATE  PREDICTIONS 


The  validity  of  much  of  the  work  associated  with  the 
FMEA* s,  the  criticality  analysis  and  the  fault  trees  depends  on 
good  estimates  of  part  failure  rates.  Because  of  the  importance 
of  obtaining  good  estimates  of  commercial  vessel  control  system 
failure  rates,  every  available  source  of  failure  rate 
information  was  used.  The  following  subsections  describe  the 
data  sources  and  how  the  data  was  used  to  obtain  the  failure 
rate  estimates  for  part  classes  and  types. 

A.  FAILURE  RATS  SOURCES 

The  following  data  sources  were  scrutinized  for  failure 
rate  information  and  failure  mode  data  applicable  to  this  study. 

a)  “Electronic  Equipment  Reliability  Data,*  published  by 
Reliability  Analysis  Center,  Rome  Air  Development 
Center  (RADC),  Fall  1980.  This  publication  is  a 
summary  of-  equipment  level  reliability  data  on 
military  electronic  equipment.  The  data  summarizes 
reliabilities  at  the  subsystem,  group,  and  unit  level. 
Approximately  94  percent  of  the  equipment  covered  in 
this  report  are  used  on  military  aircraft,  4  percent 
for  ground  application,  and  2  percent  for  shipboard 
application.  The  reliability  data  was  essentially 
obtained  from  contractually  deliverable  documentation 
associated  with  reliability  data,  such  as  Air  Force 
AFR66-1  and  Navy  3M  data  collection  systems. 

b)  "Nuclear  Plant  Reliability  Data  System,  1980  Annual 
Reports  of  Cumulative  System  and  Component  Reliability." 
This  report  was  prepared  by  the  Southwest  Research 
Institute  CSRI)  and  published  in  September,  1981. 

These  annual  reports  were  designed  to  serve  as  a  source 
of  reliability  and  failure  statistics  for  operators, 
designers,  manufacturers,  and  regulators  of  nuclear  power 
plant  safety-related  systems  and  components.  These  reports 
provide  operating  statistics  of  safety-related  systems 
within  a  unit  which  may  be  used  to  compare  and  evaluate 
reliability  performance.  The  reports  also  provide  failure 
mode  and  failure  rate  statistics  on  components  which  may  be 
of  use  in  failure  modes  and  effects  analysis, 
fault/hazard  analysis,  and  probablistic  reliability 
analysis . 

The  data  in  these  reports  cover  the  period 
between  July  1,  1974  and  December  31,  1980  and  contain 
reliability  data  on  approximately  4,000  different 
types  of  components  within  25  subsystems.  This  is  ar. 
excellent  source  of  data  because  the  total  operating 


hoars  down  to  the  component  or  part  level  are  usually 
In  excess  of  millions  of  hours.  In  addition  to 
failure  rate  data,  the  report  summarizes  how 
failures  were  detected,  the  application  of  the  units, 
and  the  status  of  the  system  when  the  f lure  was 
detected.  For  each  failure  mode  and  total  part 
failure  rate  the  rates  are  calculated  for  the 
minimum,  25th  percentile,  median,  75th  percentile,  and 
maximum  values  for  each  failure  mode  and  for  the  total 
of  the  parts.  The  percentiles  were  computed  by  the 
methods  suggested  by  Conover  (1). 


c)  "Nonelectronic  Parts  Reliability  Data,"  published  by 
Reliability  Analysis  Center  (RAC),  Rome  Air 
Development  Center,  Suxmner  1981.  This  data  summary 
provides  failure  rates  and  some  failure  modes 
information  for  mechanical,  electro-mechanical, 
electrical,  pneumatic,  hydraulic,  and  rotating  parts. 

The  data  utilized  in  the  development  of  the 
publication  was  collected  by  RAC,  and  presents 
equipment  level  experience  in  military,  industrial, 
and  commercial  applications.  In  the  calculations  of 
these  statistics,  it  was  assumed  that  the  failure 
rates  of  nonelectrical  parts  follow  the  exponential 
distribution.  That  is,  the  parts  display  a  constant 
or  random  failure  rate.  Based  on  this  assumption,  the 
mean  and  60  percent  confidence  intervals  were  calculated. 

This  report  includes  equipment  failure  rates  for 
practically  every  environment,  e.g.,  dormant,  satellite, 
ground  fixed,  airborne,  helicopter,  ship  environment, 
submarine  environment,  etc..  In  many  cases, 
the  total  operating  hours  for  individual  parts  are 
well  over  millions  of  hours.  The  report  also  provides 
some  failure  mode  information  and  was  used  as 
back-up  information  for  obtaining  the  failure  mode 
breakdowns  used  by  DOVAP  in  this  study. 

d)  "Missile  Systems  Division,  Reliability  Engineering 
Manual,"  published  by  Lockheed  Missile  and  Space 
Company  (LSMC),  1  August  1963.  This  volume  contains 
generic  failure  rates  for  electrical  and  mechanical 
components.  Upper  and  lower  confidence  levels  are  given 
for  the  failure  rates  of  each  component  type.  The 
upper  and  lower  limits  correspond  approximately  to 

the  3a  limits  of  the  normal  distribution.  Because  the 


(1)  W.J.  Conover,  Practical  Nonparametric  Statistics,  New 
York,  John  Wiley,  Inc.,  1971. 
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data  is  comparatively  old,  DOVAP  did  not  include  the 
failure  rates  in  the  overall  calculations  of  the 
adjusted  failure  rates  for  ship  applications.  Rather, 
the  failure  rates  were  regarded  more  as  a  checkpoint 
to  determine  if  ballpark  figures  correlated. 

e)  "Government-Industry  Data  Exchange  Program  (GIDEP ) . 
Volume  Reliability,  Maintainability  Analyzed  Data 
Summaries,"  latest  volume  published  July  1981  with 
updates  included  as  of  September  1982.  The  GIDEP 
reliability  and  maintainability  data  bank  includes 
information  on  failure  rates,  failure  modes, 
replacement  rates,  mean  time  between  failures,  and 
mean  time  to  repair  on  parts,  components,  equipments, 
subsystems,  and  systems.  This  source  includes  data 
from  field  experience,  laboratory  accelerated  life 
tests,  and  reliability  and  maintainability  demonstration 
test  results.  In  addition  to  the  summarized 
information,  GIDEP  provides  microfilm  reports  on 
individual  back-up  data. 

The  failure  rate  data  and  replacement  rate  data 
are  statistically  analyzed  and  presented  in  the  form 
of  group  99  percent  confidence  intervals  with  a  mean 
value  for  each  major  subject  category.  The  99  percent 
confidence  interval  is  calculated  for  failure  rates 
for  each  part  type.  The  data  is  grouped  by  major 
subject  categories,  part  number  listing,  and  by  vendor 
listing.  Because  of  the  extensive  participation  in 
the  GIDEP  program  by  most  military  contractors,  a  wide 
range  of  environments  and  a  large  accumulation  of  test 
and  operating  hours  are  covered. 

f)  “Establishment  of  Reliability  and  Maintainability  Data 
Bank  for  Shipboard  Machinery,"  published  by  ARINC 
Research  Corporation,  dated  March  1973.  This  report 
presents  summaries  of  failure  rates  and  maintenance 
rates  for  Navy  shipboard  machinery.  Little 
information  is  reported  for  control  system  components; 
however,  some  useful  failure  rate  information  is  given 
on  valves,  pumps,  and  boilers.  The  source  for  this 
information  is  the  Navy's  3M  system,  and  where 
sufficient  data  is  available,  90  percent  upper  and 
lower  confidence  levels  are  calculated. 

g)  "Storage  Reliability  of  Missile  Materiel  Program." 
published  by  Raytheon  Company,  May  1976.  This  report 
summarizes  and  analyzes  the  non-operating  reliability 
of  missile  materiel.  However,  as  a  comparison  the 
report  also  develops  operational  reliabilities  and  k~ 
factors  for  converting  reliability  data  from  the 
storage  environment  to  the  operational  environment. 

The  storage  reliability  research  program  collected  a 
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wide  range  of  data  from  accelerated  tests,  special 
test  programs,  and  a  data  bank  on  non-operating 
reliability  developed  for  the  U.S.  Army  Missile 
Command,  Although  classified  as  non-operational ,  the 
components  are  subjected  to  such  relatively  severe 
environments  as  transportation,  handling,  and  test. 

The  report  covers  electrical,  electronic, 
electromagnetic,  hydraulic,  and  pneumatic  devices. 

Failure  rates  are  grouped  by  part  category  and  the 
best  estimate  is  calculated  along  with  90  percent 
confidence  intervals.  In  addition  to  failure  rates, 
part  failure  modes  are  provided. 

h)  MIL-HANDBOOK  217.  All  electronic  part  failure  rates 
were  calculated  using  MIL-Handbook  217.  The  handbook 
methods  were  discussed  in  Section  II  and  will  be  further 
elaborated  on  in  this  section. 

i)  Task  I  Data.  Although  the  literature  search  provided 
much  qualitative  information,  relatively  little 
quantitative  failure  data  was  obtained.  The  quantitative 
data  sources  were  discussed  in  Section  IV. 


B,  DEVELOPMENT  OF  FAILURE  RATES  FOR  COMMERCIAL  VESSEL 
AUTOMATED  CONTROLS 

8.(1)  Environmental  K-Factors  For  Non-Electronic  Parts. 

As  indicated  in  the  above  section,  a  great  variety  of  data 
was  available  for  this  study.  However,  very  little  quantitative 
data  specifically  obtained  from  commercial  vessel  automation 
systems  was  found.  In  order  to  use  data  generated  from  other 
sources,  such  as  for  military  applications  and  non-mari time 
environments,  K-factors  had  to  be  developed.  The  purpose  of 
these  K-factors  is  for  converting  failure  rates  from  other 
environments  and  other  applications  into  ship  system  failure 
rates.  It  was  also  necessary  to  develop  two  sets  of  K-factors 
for  the  ship  environment  because  of  the  radical  difference 
between  the  controlled  environment  of  the  centralized  engine 
control  room  and  that  of  the  “field”  environment,  (i.e., 
non-control  room).  The  field  environment  is  much  more  extreme 
in  the  areas  of  temperature,  vibration,  humidity,  etc. 

The  closest  environmental  designation  to  commercial  vessel 
application  is  that  of  "ship  sheltered,"  as  used  in  MIL-Handbook 
217  and  RADC  documents.  Therefore,  ship  sheltered  (SHS)  became 
the  basis  for  all  comparisons  to  other  environments.  Thus,  with 
ship  sheltered  assigned  a  factor  of  1,  multipliers  for  other 
environments  were  then  developed.  Ail  data  sources  were 
researched  and  where  failure  rates  for  ship  sheltered  and  other 
environments  were  given  for  the  same  type  parts,  a  ratio  was 
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developed  to  convert  to  the  ship  sh  .tered  environment.  Table 
VI-1  gives  the  individual  part  ty;  .»  along  with  the  environments 
and  the  environmental  factors  for  each  part  type.  As  previously 
pointed  out,  the  part  types  were  grouped  according  to  whether 
they  were  used  in  control  room  or  field  applications,  and 
separate  factors  were  developed  for  each.  Because  there  was 
insufficient  data  and  too  much  variability  between  breakdowns 
within  part  types,  an  average  environmental  factor  <x>  was 
developed  for  each  environment  {i.e.  control  room  application 
and  field  application).  In  other  words,  to  convert  the  failure 
rate  for  a  switch  or  relay  from  a  ground  fixed  (GRF )  to  a  ship 
environment,  the  failure  rate  for  the  ground  fixed  environment 
is  multiplied  by  3.4633  to  obtain  a  ship  environment  failure 
rate  for  a  control  room  application.  The  field  environment  being 
much  more  severe,  the  conversion  factor  from  a  ground  fixed  to  a 
ship  field  environment  is  8.072.  On  the  other  hand,  the 
aircraft  uninhabited  (AO)  environment  is  much  more  severe  than 
the  ship  environment,  and  converting  failure  rates  from  this 
environment  to  the  ship  environment  requires  that  the  aircraft 
environmental  failure  rate  be  multiplied  by  0.1633. 

Environments  listed  in  Table  VI-I  not  mentioned  above  are  ground 
mobile  (GRM ) ,  airborne  inhabited  (AI),  and  submarine  (SUB). 


B. (2)  Development  Of  Part  Class  And  Type  Failure  Rates  For 
Commerical  Vessel  Control  Room  Application 

All  applicable  data  sources  were  utilized  to  develop  the 
failure  rates  for  commercial  vessel  application.  Table  VI-2 
summarizes  the  results  of  this  data  search. 

B.(2)(a)  Part  Class  and  Type 

Parts  were  grouped  by  class  and  type.  In  some  cases, 
sufficient  data  was  available  to  get  individual  failure  rates  by 
type;  in  other  cases,  the  data  was  accumulated  by  class. 

B. (2 ) <b)  Sources 

The  sources  are  listed  in  Table  VI-2  and  have  been 
described  in  some  detail  previously. 

B.(2)(c)  Environment 

The  environment  from  which  the  data  source  was  obtained  is 
given. 

B.(2)(d)  Application 

The  application  of  the  part  is  either  military  (M)  or 
commercial  (C).  In  all  cases,  the  mean  calculation  was  used  for 
generating  the  final  failure  information.  However,  as 
additional  information,  the  lower  confidence  level,  the  upper 
confidence  level,  number  of  failures,  and  operating  hours  are 
given. 
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R-Factor  Development  Cor  Hon- Electronic  Parts 
Factors  Cor  Converting  Other  Environments  to  Ship  Sheltered 
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8.(2)(e)  Environmental  Adjustment  Factor 

The  environmental  adjustment  factor,  as  explained  above,  i 
entered  for  part  classes  and  types. 

B. (2 ) (f }  Part  Type,  Basic  Ship  Sheltered  Failure  Rate 

This  is  the  product  of  the  mean  failure  rate  for  the 
specific  environment  times  the  adjustment  factor  to  convert  the 
failure  rate  to  a  ship  sheltered  environment. 

8.(2){g)  Part  Class,  Basic  Ship  Sheltered  Failure  Rate 

Part  class,  basic  ship  sheltered  failure  rate  is  the 
average  of  the  class. 

B.(2)(h)  Percent  Reduction  due  to  Functional  Test 

For  each  class,  a  percent  reduction  that  can  be  obtained 
due  to  functional  test  is  provided. 

B.(2){i)  Percent  Reduction  due  to  Inspection  and  Scheduled 
Maintenance 

The  percentage  obtained  for  reducing  the  failure  rate  due 
to  inspection  and  scheduled  maintenance  is  given. 

B.(2)(j)  Adjusted  Ship  Sheltered  Failure  Rates  for  Test  and 
Scheduled  Maintenance 

This  is  the  basic  failure  rate  less  the  percentages  that 
can  be  eliminated  due  to  functional  tests,  inspection  and 
scheduled  maintenance.  These  are  the  most  optimistic  failure 
rates. 


B. (3)  Adjustment  Factors  For  Reducing  Basic  Failure  Rates 

Through  Functional  Testing,  Inspection,  And  Scheduled 
Maintenance 

In  order  to  develop  the  relative  failure  rate  improvements 
obtainable  through  functional  testing,  operational  testing, 
inspection,  and  preventative  maintenance,  certain  assumptions 
had  to  be  made.  These  assumptions  are  as  follows. 

a)  The  failure  rates  derived  from  historical 

data  and  adjusted  by  the  K-factors  are  basic 
failure  rates.  These  basic  failure  rates 
are  the  so-called  "unscheduled  maintenance  action" 
failure  rates.  That  is,  they  apply  to  hardware 
problems  requiring  unscheduled  maintenance.  All 
unscheduled  maintenance  actions  are  not  always  the 
result  of  operational  failures.  However,  if  the 
unscheduled  maintenance  is  not  performed,  it  can 
be  reasonably  assumed  that  the  defect  will 
eventually  degrade  to  the  point  where  it  becomes  a 
functional  failure. 


b)  It  is  assumed  that  certain  failures  can  be 
detected  prior  to  functional  failure,  either 
through  functional  testing  or  inspection,  or  that 
they  can  be  prevented  through  preventative 
maintenance. 

c)  Other  failures  occur  instantaneously  and  cannot  be 
detected  prior  to  failure  and  therefore,  cannot  be 
prevented. 

Another  class  of  failure  is  the  wear-out  type  which 
can  be  prevented  by  scheduled  removals.  All  these  types  of 
failures  are  included  in  the  basic  failure  rates. 

Based  on  historical  data,  the  percentage  of  failures  by 
part  class  that  can  be  eliminated  through  functional  testing  and 
through  maintenance  was  determined.  Maintenance  includes 
scheduled  inspection  and  scheduled  preventative  maintenance. 
These  percentages  were  derived  from  historical  data  that  broke 
out  how  the  failures  were  detected.  In  other  words,  for  certain 
part  types,  the  data  gives  the  percentage  of  failures  that  were 
detected  during  functional  test,  during  inspection,  and  during 
other  categories  of  activities.  Much  of  this  data  was  obtained 
from  the  nuclear  failure  rate  information  generated  by  the 
Southwest  Research  Institute.  This  data  was  very  precise, and  in 
many  cases,  the  total  operating  hours  were  in  excess  of  many 
millions  of  hours. 


B. (4)  Adjustment  Factors  For  "Opens"  From  The  Field 

Both  historical  data  and  the  open  literature  indicate  that 
a  major  problem  with  control  systems  concerns  the  workmanship  of 
the  interconnections  from  the  field  components  to  the  control 
console.  That  is,  these  interconnections  are  prone  to  "fail 
open".  Various  documents  indicate  that  the  magnitude  of  this 
problem  is  directly  related  to  the  shipyard  performing  the  work. 
However,  after  a  period  of  time,  which  can  vary  from  six  months 
to  approximately  three  years,  these  problems  are  eventually 
eliminated  and  a  steady  state  condition  as  far  as  "opens"  from 
the  field  is  reached. 

In  order  to  adjust  the  data  for  potential  field  opens, 

DOVAP  added  0.38  failures  per  million  hours  for  each  field 
connection.  This  breaks  down  as  follows: 

a)  0.33  failures  per  million  hours  for  cable  to  console 
failure  rates 

b)  0,04  failures  per  million  hours  for  connector 
failure  rates 
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c)  0,01  failures  per  million  hours  for  connection  of 
the  cable  to  the  field  component . 


B. (5)  Suostantiation  Of  Six  Month  Pactore  For  Hardware  Other 
Than  Electronic  Components. 

The  average  decrease  in  failure  rates  from  the  infant 
mortality  period  to  the  steady  state  period  was  obtained  from 
the  report  "Consideration  for  the  Initial  Failures  of  Marine 
Engines,"  Log  Number  075.  This  report  shows  a  considerable 
difference  in  failure  frequencies  between  the  first  six  month 
period  and  the  remaining  period  over  which  data  was  collected. 

Prom  the  data  in  the  report,  the  total  number  of  failures 
for  the  first  six  month  period  and  for  all  failures  occurring 
after  six  months  can  be  obtained.  This  amounts  to  1.1.72  failures 
per  ship  month  for  the  first  six  months,  and  2.98  failures  per 
ship  month  after  the  initial  first  six  months.  This  report  also 
subdivides  data  oy  equipment  classification  such  as  automation 
equipment,  and  piping  and  valves.  Proa  this,  the  percent 
contribution  of  valves  and  piping  and  of  automation  systems  were 
broken  out  f^om  the  total.  This  amounted  to  7.4  per  month  for 
valves  and  piping  for  the  initial  period,  and  .64  for  the  period 
past  six  months.  For  the  automation  systems,  it  amounted  to  3.3 
failures  for  the  first  six  months  and  then  the  failure  rate 
leveled  out  to  .5  per  month  after  the  initial  six  month  period. 
Using  these  ratios,  automation  failures,  excluding  electronics, 
for  the  first  six  months  are  6.6  times  higher  than  that  of  the 
steady  state  period.  For  valves,  piping, and  other  field 
components,  it  was  estimated  that  the  premature  failure  rate  is 
11.6  times  higher  than  that  of  the  steady  state  condition. 


C.  ELECTRONIC  PARTS  STRESS  ANALYSIS 

As  can  be  recalled  from  Section  II,  "Fundamentals  of 
Reliability",  MIL-Handbook  217  utilises  part  stress  ratios  as 
factors  in  the  failure  rate  equation.  These  part  stress  factors 
are  the  ratio  of  the  actual  value  to  the  rated  value  for  the 
appropriate  part  parameters.  (For  instance,  for  transistors, 
power  is  one  of  the  parameters. ) 

In  order  to  develop  these  stress  factors  so  that  failure 
rates  could  be  obtained  from  MIL-Handbook  217,  circuit  analyses 
were  performed.  These  analyses  were  conducted  on  a  sample  of 
the  electronic  components  in  the  control  systems  of  all  3 
vessels.  The  sample  represents  about  20  percent  of  the  printed 
circuit  card  types;  however,  these  are  the  high  usage  cards  and 
represent  approximately  70  percent  of  the  total  electronic  parts 
used  in  the  systems. 

In  conducting  the  parts  stress  analysis,  power  dissipation, 
current,  and  voltage  stress  values  were  computed  based  on 
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nominal  supply  voltages.  Component  ratings,  as  shown  on  the 
schematic ,  were  taken  as  the  base  level  component  rating,  e.g., 
if  a  resistor  was  listed  as  1/4  watt,  stress  levels  were 
computed  considering  1/4  watt  as  100  percent. 

Stress  factors  for  Systems  B  and  C  circuitry  which  drove 
off-card'  circuits  were  computed  by  using  maximum  operating 
conditions  as  described  in  the  module  specification.  There  were 
some  cases  where  this  information  was  not  available,  however, 
most  of  the  card  output  circuits  were  loaded  similarly  to  those 
in  the  documented  circuits. 

System  A  circuit  cards  used  logic  devices  and  op-amps 
driving  off-card  loads.  Stress  factors  for  digital  iC's  were 
computed  assuming  a  worst  case  device  power  supply  current  and 
multiplying  it  by  the  nominal  power  supply  voltage.  Analog 
devices  were  assumed  to  be  driving  their  maximum  guaranteed  load 
current  into  a  resistive  ground- referred  load.  For  signal 
amplifiers,  the  output  load  current  was  computed  using  the  worst 
case  power  dissipation  cor Jit ion  in  the  device  output  region  of 
+  10  volts. 

In  conducting  the  part  stress  analysis,  worksheets  were 
used  to  record  the  values  computed.  Figure  VI-1  depicts  a 
sample  of  these  worksheets. 


D.  RELIABILITY  GROWTH  AND  THE  EFFECT  OF  SCREENED  AND 
UNSCREENED  CIRCUIT  CARDS 

A  great  deal  of  data  has  been  generated  on  the  subject  of 
reliability  growth  of  electronic  components  and  on  the  effects 
of  environmental  screening  or  burn-in.  One  such  paper  is  "The 
Reliability  Growth,  Screened  vs.  Nonscreened  Computers"*.  This 
paper  documents  the  reliability  improvement  factor  identified 
when  digital  computer  circuit  cards  were  subjected  to  a  set  of 
environmental  screens,  as  compared  to  identical  cards  without 
environmental  screening.  Rates  of  reliability  growth  were 
identified  for  each  type  of  card.  All  components  used  were  of 
Mil-grade  quality  and  were  derated  according  to  applicable  NASA 
requirements. 

The  burned- in  components  were  subjected  to  200  hours  in  a 
chamber  which  cycled  the  temperature  of  the  units  from  a  -40°  F 
to  +105°  F.  The  rate  of  reliability  growth  for  the  two  types  of 
printed  circuit  assemblies  is  shown  in  Figure  VI-2.  The 
following  was  concluded  from  the  data. 


*1982  Proceedings,  Annual  Reliability  and  Maintainability 
Symposium,  E.W.  Derenthal,  IBM  Corporation,  Oswego,  N.Y. 
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The  reliability  improvement  factor  for  screened  units  over 
nonsrreened  units  is  not  consistent  but  rather  a  function  of 
age.  The  factor  observed  for  the  screened  unit  was  2.5  at  1,000 
hours,  1.6  at  5,000  hours,  and  approached  unity  at  30,000  hours. 
The  screened  units  start  at  an  initially  higher  mean  time 
between  failure  than  the  unscreened  units,  but  demonstrate  a 
lower  reliability  growth  rate.  The  curve?  show  that  generally 
higher  reliability  can  be  obtained  by  units  that  have  been 
subjected  to  curn-in  or  thermal  cycling.  Both  screened  and 
unscreened  units  will  demonstrate  reliability  growth;  however  at 
approximately  30,000  hours  the  rate  of  growth  becomes 
approximately  the  same. 

No  data  could  be  found  showing  the  rate  of  growth  ,  for 
commercial  grade  components.  Therefore,  the  growth  rate 
selected  for  the  commerical  vessels  on  this  study  was  the 
unscreened  rate  for  the  Mil-grade  parts  as  shown  in  Figure  VI-2. 

It  is  assumed  that  initial  failure  rates  are  higher  and  the 
rate  of  growth  is  substantially  higher  for  commercial  grade 
components  because  the  individual  components  had  not  been 
screened  or  burned  in. 

Because  of  the  significant  initial  improvement  in  burned-in 
assemblies,  it  is  recommended  that  manufacturers  of  propulsion 
control  systems  burn-in  and  thermal  cycle  the  printed  circuit 
cards. 


E.  ELECTRONIC  PART  FAILURE  RATE  GENERATION 
E. (1)  Application  Of  MIL-Handbook  217. 

The  electronic  part  failure  rates  used  by  DOVAP  were 
obtained  from  MIL-Handbook  217.  In  order  to  facilitate 
development  of  these  failure  rates,  computer  software  was 
utilized.  This  computer  software  is  called  PREDICTOR  and  was 
developed  by  Management  Sciences,  Inc.  of  Albuquerque,  New 
Mexico.  To  generate  failure  rates  using  PREDICTOR,  the  user 
supplies  the  program  with  data  elements  such  as  component  types, 
quantities,  quality  levels,  stresses,  ambient  temperature, 
environments,  etc..  The  program  recognizes  key  words  and  data 
that  are  relevant  to  the  failure  rate  predictions.  Examples  of 
key  words  are  component  nomenclature  and  component  part  type 
designation  numbers.  Through  built-in  program  defaults, 
predictions  will  be  developed  utilizing  whatever  data  the 
software  has  available. 

Figure  VI-3  shows  the  PREDICTOR  output  for  a  sample  of  121 
electronic  parts.  The  basic  methods  for  developing  failure 
rates  from  MIL— Handbook  217  were  described  in  Section  II,  and  as 
explained  in  that  section,  many  factors  are  used  in  the  failure 
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(Failure  rates  calculated  using  MIL-Handbook  217 
lods,  Naval  sheltered  environment,  ambient  temperature 
c£  35  degrees  C,  and  lower  military  grade  quality.) 


rate  equations.  Some  of  these  factors  have  minor  effects  on  the 
final  rate  value.  Some  are  significant  however,  and  those  which 
DOVAP  used  in  the  calculations  are  described  as  follows: 

Ambient  Temperature;  An  ambient  temperature  of  35°  C.  was 
used  for  the  electronic  part  failure  rate  calculations.  The  35° 
C.  was  estimated  as  the  upper  range  of  the  actual  operating 
temperatures  within  the  control  consoles.  Where  certain 
components  run  hotter  at  the  junction  than  the  estimated 
ambient,  a  junction  temperature  rise  was  also  added  to  the 
ambient  for  those  components.  The  actual  range  observed  aboard 
one  ship  was  72°  to  75°  F.  and  this  remained  fairly  constant. 

The  control  cabinets  usually  contained  blowers  which  circulate 
the  air,  and  the  ambient  should  be  fairly  well  distributed 
within  the  cabinet. 

Quality  Level?  The  commercial  quality  level  was  used  for 
all  component  failure  rate  predictions.  The  quality  level 
factor  can  have  a  very  significant  effect  upon  the  end  failure 
rate. 

Operating  Stress  Ratio;  As  previously  described,  stress 
analysis  was  performed  on  approximately  70  percent  of  the 
electronic  parts  covered  in  this  study.  The  remaining  stress 
ratios  were  estimated  based  upon  these  calculated  values. 

Environment;  The  naval  sheltered  environment  was  used  for 
this  analysis.  The  MIL-Handbook  217  decryption  for  this  envi¬ 
ronment  covers  components  located  below  deck  and  protected  from 
weather,  and  includes  such  equipment  as  ship  communications,' 
computers,  and  sonar  equipment. 


E. (2)  Analysis  Of  The  Effect  of  Temperature 

Because  of  the  possibility  that  some  control  rooms  are  not 
air  conditioned,  the  effects  of  higher  temperature  levels  were 
evaluated.  This  was  accomplished  by  generating  failure  rate 
predictions  for  a  sample  of  121  electronic  parts  at  temperatures 
of  both  35°  C.  and  50°  C..  These  data  printouts  are  provided  in 
Figures  VI-4  and  VI-5.  The  total  failure  rate  for  the  121  parts 
at  35  C.  was  24.8343  failures  per  million  hours.  The  failure 
rate  increased  to  32.899  failures  per  million  hours  for  the  50° 
C.  condition,  for  an  overall  failure  rate  increase  of 
approximately  32  percent.  However,  the  majority  of  the  increase 
is  due  to  semiconductors  and  ICs  which  become  more  failure  prone 
as  the  temperature  increases. 
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(Failure  rates  calculated  using  MIL-Handbook  217 
ads,  Naval  sheltered  environment,  ambient  temperature 
of  35  degrees  C,  and  commercial  grade  quality.) 
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(Failure  rates  calculated  using  MIL-Handbooit  217 
ads,  Naval  sheltered  environment,  ambient  temperature 
cf  35  degrees  C  and  commercial  grade  quality.) 
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(Failure  cates  calculated  using  MILr-Handbook  2X7 
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(Failure  rates  calculated  using  MIL-Handbook  217 
methods.  Naval  sheltered  environment,  ambient  of 
50  degrees  C,  and  commercial  grade  quality.) 


E. (3)  The  Effects  of  Higher  Quality  Levels 

As  previously  indicated,  commercial  or  "L"  grade  quality 
levels  were  used  in  developing  failure  rates.  In  order  to 
determine  the  effects  of  using  MIL  grade  components,  the  same 
121  parts  were  run  through  the  computer  program  using  both  lower 
level  quality  parts  and  MIL  grade  quality  parts.  The  MIL  grade 
parts  used  for  this  exercise  were  of  the  lower  range  of  the 
total  spectrum  for  MIL  quality  parts.  Nevertheless,  the  failure 
rate  dropped  fro®  24.83  failures  per  million  to  5.68  per 
million,  or  an  improvement  of  77  percent.  Again,  most  of  the 
improvement  is  due  to  semiconductors  and  ICs,  which  account  for 
75  percent  of  the  improvement.  Although  resistors  and 
capacitors  constitute  the  majority  of  the  parts,  they  only 
account  for  25  percent  of  the  improvement. 


E. (4)  Failure  Rate  Summary 

To  summarize,  many  factors  influence  the  values  of  the 
failure  rates.  The  basic  failure  rates  used  in  this  study  are 
assumed  to  be  the  so-called  unscheduled  maintenance  rates.  The 
parts  are  assumed  to  be  operating  at  an  ambient  temperature  of 
35°  C.,  during  the  steady  state  phase,  and  are  of  commercial 
quality  level.  These  failure  rates  can  either  be  adjusted  up  or 
down  by  changing  the  basic  assumptions  regarding  temperature, 
operational  phase,  maintenance,  or  quality  levels.  The  degree 
of  change  varies  by  part  type  and  class.  Also,  there  are  many 
unknowns  as  to  the  effect  of  these  factors  on  non-elect ronic 
parts,  and  many  of  the  factors  had  to  be  estimated.  Table  VI- 
summarizes  the  general  effects  of  these  four  factors.  By 
increasing  the  temperature  from  35°  C.  to  50°  C. ,  the  basic 
failure  rate  generally  increases;  however,  for  hardware  such  as 
valves  and  pumps,  the  temperature  change  should  not  have  a 
substantial  effect  and  the  factors  are  assumed  to  be  1.  The 
overall  factor  for  change  in  temperature  is  1.2. 

For  quality,  changing  from  commercial  to  military  grades 
will  reduce  failure  rates.  Little  data  could  be  found  on 
non-electronic  parts.  However,  a  significant  reduction  is 
exhibited  using  MIL-Handbook  calculations  for  electronic  parts. 
The  adjusted  failure  rate  for  use  of  military  level  parts  is 
0.71  of  the  base  failure  rate. 

The  premature  failure  rates  are  significantly  higher  than 
those  for  the  steady  state,  and  converting  from  steady  state  to 
premature  state  increases  the  failure  rate  on  the  average  by 
7.9. 


The  adjustment  to  the  base  failure  rate  due  to  maintenance 
ana  tescs  is  on  average  0.48  percent  of  the  base  rate.  In  other 
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words,  approximately  half  of  all  failures  can  be  eliminated 
through  adequate  preventative  maintenance  and  tests.  The 
remaining  failures  probably  cannot  be  eliminated  because  they 
are  undetectable  and/or  fail  instantaneously.  The  Q.48 
improvement  factor  due  to  maintenance  correlates  very  closely 
with  data  generated  on  other  large  complex  systems.  It  has  been 
found  in  studies  of  historical  data  on  military  systems  that,  on 
the  average,  there  is  a  one  to  one  ratio  of  failures  that  have 
degraded  to  the  point  that  they  effect  the  function  of  the 
equipment  to  failures  that  are  found  prior  to  degrading  to  the 
point  of  being  a  functional  failure.  The  degree  to  which  the 
non-operational  type  of  degradation  can  be  eliminated  prior  to 
total  failure  is  a  function  of  the  effectiveness  of  inspection, 
tests,  and  preventative  maintenance  programs 


VII.  FAILURE  MODES  AND  EFFECTS  ANALYSES  (FMEA ) 


During  the  Task  II  effort.  Failure  Modes  and  Effects  Ana¬ 
lyses  (FMEA's)  were  conducted  down  to  the  part  level  (transis¬ 
tor,  integrated  circuit,  control  valve,  etc.).  The  completed 
FMEA  sheets  for  Ships  A,  B,  and  C  are  provided  in  Appendices  B, 
C,  and  D.  In  the  subsections  which  follow,  the  FMEA  approach  is 
described  and  failure  inodes  are  discussed. 


A.  FMEA  APPROACH 

The  basic,  overall  approach  to  the  FMEA’s  for  all  three 
ships  was  first  to  subdivide  the  hardware  into  realistic,  man¬ 
ageable  groupings.  At  the  "top  level,*  these  groupings  consti¬ 
tute  the  subsystems,  or  major  functional  areas.  These  subsystem 
groupings  for  each  ship  are  listed  at  the  end  of  this  section. 

The  hardware  within  each  subsystem  was  then  further  subdi¬ 
vided  by  examining  the  individual  hardware  elements.  Groupings 
were  established  based  on  the  subfunctions  performed.  In  some 
cases,  from  three  or  four  to  a  dozen  or  so  elements  could  be 
grouped  together  into  one  subfunction.  In  other  cases,  no 
grouping  was  found  possible,  and  individual  elements  (for  in¬ 
stance,  a  NAND  gate)  were  considered  as  a  "group."  In  all 
cases,  these  groupings  were  developed  from  schematics,  and  were 
baaed  on  the  criterion  that  each  element  within  the  group  con¬ 
tribute  to  the  same  failure  effect. 

One  example  of  this  grouping  would  involve  a  circuit,  such 
as  a  relay  driver,  with  only  one  subfunction.  While  the  driver 
is  composed  of  several  parts,  it  can  be  reasonably  assumed  that 
failures  within  the  driver  would  have  the  same  overall  effect, 
namely  to  cause  the  associated  relay  to  energize  or  de-energize 
incorrectly.  In  this  example,  the  parts  within  the  relay  driver 
form  a  subgroup. 

Another  example  would  involve  an  element  having  an  output 
assd  in  more  than  one  place.  In  this  example,  potential  element 
failure  inodes  would  contribute  to  failure  effects  in  each  area 
where  the  output  was  used.  It  could  thus  not  be  grouped  to¬ 
gether  with  any  one  area  where  its  output  was  used  since  its 
potential  failure  modes  would  also  effect  other  areas.  Rather, 
it  would  form  its  own  unique  "group,"  Logic  gates  often  exhibit 
this  type  of  failure  effect  and  form  "groups"  of  a  single  ele¬ 
ment  each. 
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Each  of  these  groups  or  single  elements,  as  appropriate, 
were  entered  into  the  FMEA  worksheets.  It  can  be  seen,  there¬ 
fore,  that  the  FMEA ' s  cover  all  hardware  elements. 

Once  the  hardware  had  been  subdivided,  the  failure  modes 
for  each  grouping  were  entered  into  the  FMEA  worksheets.  These 
failure  modes  are  discussed  in  detail  below,  but  generally  in¬ 
clude  failures  to  the  extremes  of  each  group's  operating  boun¬ 
daries.  These  "extremes"  include  fail  high/low  or  fail 
true/false  for  digital  logic,  contact  stays  open/closed  for 
relays,  signal  stays  active/ never  active,  etc. 

For  each  group,  the  subsystem  and  system  failure  effects 
for  each  potential  failure  mode  were  then  determined.  The  sub¬ 
system  failure  effects  constitute  the  impact  of  the  failure  mode 
on  subsystem  operation,  and  their  entries  on  the  FMEA  worksheets 
describe  the  abnormal  subsystem  operation  that  would  occur  as  a 
result  of  the  failure  mode  under  consideration.  Likewise,  the 
system  failure  effect  entry  describes  the  abnormal  operation 
that  would  occur  at  the  overall  system  level  due  to  the  failure 
mode.  As  an  example,  assume  that  the  failure  mode  under  consi¬ 
deration  was  "output  signal  stays  active"  for  a  particular  relay 
driver.  Then  the  subsystem  failure  effect  would  be  that  the 
associated  relay  stays  energized.  At  the  system  level,  the 
failure  effect  would  be  that  the  associated  function  stays  in 
the  operating  mode  dictated  by  the  energized  state  of  the  relay 
(for  instance,  feedwater  pump  stays  on). 

The  FMEA  approach  described  thus  far  is  basically  the 
standard  approach  taken  to  any  FMEA.  In  addition,  DOVAP  covered 
three  other  areas  that  are  not  necessarily  included,  per  se,  in 
all  FMEA's.  These  areas  were  included  for  later  use  in  the 
criticality  analyses,  and  are  as  follows: 

First,  where  applicable,  cross  reference  numbers  were  made 
on  the  FMEA  worksheets  to  the  criticality  sheets  to  identify  any 
means  available  for  detecting  the  failure  mode  under  considera¬ 
tion.  These  failure  detection  means  primarily  involve  alarms 
and  such  visual  indications  as  gauges. 

Second,  any  back-up  provisions  for  manually  overcoming  the 
effects  of  the  failure  modes  were  identified  for  cross-reference 
to  the  criticality  sheet.  Such  back-up  provisions  include  ma¬ 
nual  operation  of  a  valve,  local  control  from  a  remote  station, 
handpump  control  of  hydraulics,  etc. 

And  third,  failure  rates  for  all  FMEA  entries  were  provided 
on  the  worksheets.  These  failure  rates  cover  the  part(s)  in 
each  subgrouping,  and  are  also  apportioned  to  the  failure  modes 
under  consideration.  For  instance,  assume  that  the  failure 
modes  for  a  particular  relay  are  "contact  stays  open"  and  "con¬ 
tact  stays  closed,"  and  that  it  has  been  determined  that  these 
failure  modes  are  equally  likely.  This  implies  that  if  the 
relay  fails,  there  is  a  50  percent  chance  that  its  contact 


will  stay  open  and  50  percent  that  it  will  stay  closed.  There¬ 
fore,  50  percent  of  the  relay's  total  failure  rate  is 
apportioned  to  each  potential  failure  mode. 


B.  FAILURE  MODES 

The  degree  of  realism  achieved  through  a  failure  modes  and 
effects  analysis  depends  significantly  on  the  realism  of  the 
failure  inodes  considered.  This  occurs  because  the  failure  ef¬ 
fects  identified  in  an  FMEA  are  a  direct  function  of  the  failure 
inodes  assigned  to  the  various  hardware  groupings. 

There  are  two  basic  sources  of  failure  mode  information  for 
use  in  an  FMEA.  The  first  source  is  published  failure  mode  data 
and  compendiums;  the  second  is  the  application  of  engineering 
experience. 

The  major  problem  with  published  failure  mode  data  is  that 
it  is  severely  limited.  Many  individual  papers  cite  some  par¬ 
ticular  failure  mode(s)  observed  in  operation,  and  such  infor¬ 
mation  from  the  Task  I  literature  search  was  used  during  Task  II 
of  this  study.  On  the  whole,  however,  failure  mode  information 
of  this  type  is  not  comprehensive,  and  at  best  can  only  serve  to 
verify  data  obtained  from  other  sources. 

There  are  a  few  published  compendiums  containing  failure 
mode  information,  and  three  were  used  on  this  study.  While 
these  do  provide  reasonably  comprehensive  data,  they  are  limited 
in  the  hardware  areas  they  cover. 

Of  the  three  sources,  the  "SRI  data” (2)  was  used  for  back¬ 
ground  information  on  mechanical,  and  especially  pneumatic 
hardware.  Since  the  failure  modes  given  in  this  source  are 
based  on  operating  data  from  nuclear  power  plants,  it  is  not 
clear  that  the  data  is  representative  of  failure  modes  in  a 
marine  environment.  Nevertheless,  failure  modes  for  control 
equipment  are  briefly  described,  and  the  number  of  occurrences 
given.  This  information  was  used  in  Task  II  to  serve  as 
"guidelines. ■ 

The  second  source  (3)  involves  a  quite  comprehensive  study 
conducted  by  RADC  on  electronic  part  failure  modes,  but  since  it 
was  performed  some  time  ago  it  provides  no  data  on  integrated 
circuits.  The  data  it  does  provide  on  transistors,  capacitors, 
and  the  like  still  appears  valid  since  it  is  difficult  to  ima- 


(2)  Failure  Rate  Source  VI. A.  (2),  page  VI-I 

(3)  Failure  Rate  Source  VI. A.  (1),  page  VI-I 
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gine  that  such  parts  would  have  developed  any  totally  new  fail¬ 
ure  modes  in  the  period  since  the  study  was  performed.  Hence, 
DOVAP  relied  heavily  on  this  study  for  electronic  part  failure 
mode  types  and  frequencies. 

The  third  source  (4),  also  from  RADC,  is  primarily  a  com¬ 
pendium  of  non-electronic  part  failure  rates,  but  some  failure 
mode  information  is  also  given.  Since  a  large  amount  of  this 
data  is  based  on  military  applications,  it  was  used  during  this 
study,  as  was  the  SRI  data,  to  serve  as  guidelines. 

In  establishing  the  failure  modes  to  be  considered  in  an 
FMEA,  engineering  experience  traditionally  plays  a  significant 
role.  This  occurs  in  part  because  of  the*  limitations  associated 
with  published  data.  It  also  occurs  because  "real  life"  failure 
modes  are  often  not  amenable  to  the  FMEA  approach. 

For  instance,  intermittent  failures  and  "glitches"  of  va¬ 
rious  types  are  common  in  actual  operations,  and  their  causes 
are  often  never  determined.  Also,  in  practice,  parts  are  often 
replaced  not  because  they  have  totally  failed  but  rather  because 
they  have  degraded  to  the  extent  of  effecting  system  operation. 
In  addition,  integrated  circuits  present  tremendously  compli¬ 
cated  failure  mode  possibilities.  Typical  causes  of  integrated 
circuit  failures  include  substrate  fractures,  internal  shorts 
across  conductors,  internal  voids  or  holes,  etc.  The  manner  in 
which  such  failure  mechanisms  impact  circuit  operation  depends 
on  the  nature  and  location  of  the  defect.  Some  defects  will 
produce  quite  straightforward  failure  modes  (e.g.,  circuit  out¬ 
put  shorted  to  ground).  Others  can  cause  malfunctions  in  up  to 
every  circuit  on  the  ship. 

In  view  of  such  "real  life"  characteristics,  as  well  as  the 
limitations  of  published  data,  obtaining  failure  modes  amenable 
to  the  FMEA  approach  requires  assumptions  based  on  engineering 
experience.  The  basic  assumption  usually  made,  and  the  one 
DOVAP  applied  on  this  study,  is  that  parts  fail  to  their  ex¬ 
tremes  in  either  direction. 

The  disadvantage  of  this  assumption  is  that  it  only  par¬ 
tially  reflects  "real  life."  That  is,  some  failures  will  indeed 
involve  these  extreme  failure  modes,  while  others  will  involve 
failure  modes  somewhere  tin  between."  The  advantage  of  this 
assumption,  and  it  is  a  significant  one  for  this  study,  is  that 
the  resulting  FMEA  will  represent  the  worst  case  boundaries. 

This  implies  that  it  is  not  likely  that  a  "more  worst  case" 
condition  could  occur  than  was  revealed  in  the  FMEA. 


(4)  Failure  Rate  Source  VI. A.  (3),  page  VI-2 
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C.  FMEA  EXAMPLE 


In  the  paragraphs  which  follow,,  an  example  from  the  Task  II 
FMEA 1 s  is  described  in  order  to  illustrate  approach  and  proce¬ 
dures.  The  example  covers  a  portion  of  digital  logic  used  for 
control  of  a  boiler  Master  Fuel  Oil  Valve. 

A  sample  of  the  completed  FMEA  worksheets  for  this  portion 
of  the  digital  logic  is  provided  in  Figure  VII-2.  A  simplified 
schematic  of  this  logic  is  shown  in  Figure  VII-1.  Since  the 
logic  is  implemented  with  Integrated  circuit  NAND-NOR  gates,  the 
Figure  VII-1  schematic  is  highly  simplified.  For  instance,  the 
recirculation  latch  shown  actually  incorporates  several  gating 
stages  so  that  the  logic  inversions  at  each  gate  are  combined 
properly  to  obtain  the  correct  logic  level  at  the  output.  The 
circuitry  shown  in  the  figure  and  covered  in  the  sample  FMEA 
worksheets  functions  as  follows. 

The  Master  Fuel  Oil  Valve  stays  open  as  long  as  its  sole¬ 
noid  is  energized.  The  solenoid  driver  contains  a  power  driver 
at  its  output  stage  such  that  when  the  transistors  in  the  power 
driver  conduct,  the  30lenoid  is  energized.  When  the  power 
driver  transistors  are  not  conducting,  the  solenoid  de-energizes 
and  the  Master  Fuel  Oil  Valve  closes.  Thus,  the  opening  and 
closing  of  the  Master  Fuel  Oil  Valve  is  achieved  by  "switching" 
the  power  driver  transistors  on  or  off. 

This,  in  turn,  is  accomplished  during  steady  state  opera¬ 
tions  by  the  "Open  Mst  F.O.  Valve  Command."  This  command  stays 
active  as  long  as  no  boiler  trips  are  present.  If  a  boiler  trip 
condition  is  detected,  the  command  goes  "false",  thus,  switching 
off  the  power  driver  transistors  and  de-energizing  the  solenoid. 

An  open  command  can  also  be  generated  by  manually  setting 
the  recirculation  latch  via  the  Master  Fuel  Oil  Valve  Reset 
pushbutton.  This  allows  fuel  oil  to  be  recirculated  under  ma¬ 
nual  control.  The  recirculation  latch  will  reset,  however,  at 
the  start  of  a  purge  cycle  or  if  any  burner  valve  is  open. 

Open  commands  are  passed  on  to  the  solenoid  driver  only 
when  the  manual  trip  latch  is  reset.  Thus,  if  it  is  desired  to 
manually  trip  the  Master  Fuel  Oil  Valve,  the  Master  Fuel  Oil 
Valve  Trip  pushbutton  is  depressed,  which  in  turn,  sets  the 
Manual  Trip  Latch.  Recovery  following  a  manual  trip  requires 
that  the  Master  Fuel  Oil  Valve  Reset  button  be  depressed. 

From  this  brief  description,  several  failure  effects  can  be 
readily  noted.  If  the  solenoid  driver  stays  energized,  the 
Master  Fuel  Oil  Valve  will  remain  open.  This  can  occur  if  the 
solenoid  driver  fails  such  that  its  power  driver  transistors 
always  conduct.  This  can  be  caused  by  several  part  failure 
modes  within  the  driver  circuit  itself.  It  can  also  be  caused 
if  the  AND  gate  that  switches  the  solenoid  driver  fails  such 
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FIGURE  VI 1-2 

Sample  of  FflKA  Worksheets 
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that  its  output  always  appears  "true." 

Conversely,  if  a  failure  causes  the  solenoid  to 
de-energize,  the  Master  Fuel  Oil  Valve  will  close  and  the  boiler 
will  shut  down.  This  can  occur  if  the  power  driver  transistors 
stop  conducting,  and  can  be  caused  by  certain  part  failure  inodes 
within  the  driver  circuit.  It  can  also  be  caused  if  the  AND 
gate  switching  the  solenoid  driver  fails  such  that  its  output 
always  appears  "false." 

A  failure  characteristic  typical  in  digital  circuitry  can 
also  be  seen  from  this  example.  That  is,  failures  “back  down 
the  line"  can  propagate  through  the  logic  and  cause  some  of  the 
same  failure  effects  as  those  at  the  output  stages.  For  in¬ 
stance,  if  the  input  signal  conditioner  circuit  for  the  "Master 
F.O.  Valve  Trip  Pushbutton"  input  failed  such  that  the  input 
signal  appeared  "true"  (or,  in  other  words,  the  pushbutton  ap¬ 
peared  to  be  depressed),  the  Manual  Trip  Latch  would  be  set,  the 
solenoid  driver  would  "switch  off,"  and  the  Master  Fuel  Valve 
would  close  and  shut  down  the  boiler. 


D.  FMEA  POINTS  OF  INTEREST 

From  approximately  150  to  400  system- level  failure  effects 
were  revealed  by  the  FMEA's  for  each  system.  For  Ship  A,  which 
has  the  most  complex  control  system,  the  FMEA  revealed  about  400 
system  failure  effects.  For  Ship  8,  which  has  the  next  most 
complex  control  system,  about  200  system  failure  effects  were 
identified.  Ship  C  has  the  least  complex  control  system  but  the 
various  operating  mode  and  control  station  provisions  increase 
the  number  of  system  failure  effects;  about  150  were  identified. 
Many  of  these  failure  effects  are  insignificant.  For  all  three 
ships,  however,  a  considerable  number  have  direct  or  indirect 
safety  implications,  and  these  are  depicted  in  the  fault  trees. 

As  just  indicated,  the  FMEA  results  were  utilized  in  the 
fault  trees.  They  were  also  utilized  in  all  other  study  ana¬ 
lyses.  They  form  the  basis  for  the  criticality  analysis,  as 
discussed  in  Section  IX.  They  were  extensively  utilized  in 
developing  the  reliability  criteria  described  in  Section  X. 
Reliability  predictions  were  computed  from  the  parts  groupings 
established  for  the  FMEA's.  FMEA  results  were  also  considered 
in  the  maintenance  analysis. 

Since  the  FMEA's  constitute  the  basis  for  other  study  ac¬ 
tivities,  two  points  mu3t  be  addressed.  The  first  concerns  the 
degree  of  realism  achieved  in  the  FMEA's;  the  second,  the  degree 
of  comparability  between  the  three  ships. 
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D.  (1)  FMEA  Realism 


As  indicated  earlier,  the  FMEA ! s  were  based  on  extreme 
failure  modes  (e.g.,  fail  open/fail  short,  fail  active/fail 
inactive,  etc.).  Therefore,  to  assess  the  realism  of  the 
FMEA's,  the  realism  of  such  failure  inodes  must  be  considered. 

Both  data  and  experience  from  aerospace  programs  indicate 
that  roughly  one-fourth  of  all  failures  involve  these  extreme 
failure  modes.  However,  the  parts  used  on  aerospace  programs 
are  generally  of  a  consistently  higher  quality  than  was  found  to 
be  the  case  during  this  study.  These  higher  quality  levels 
imply  that  many  design  and  manufacturing  defects  contributing  to 
extreme  failure  modes  have  been  eliminated.  For  the  lower  qua¬ 
lity  level  parts  that  are  so  extensively  utilized  in  the  systems 
evaluated  during  this  study,  defects  contributing  to  extreme 
failure  modes  are  much  more  likely.  Based  or?  past  experience 
and  consideration  of  actual  problems  that  have  occurred  in  en¬ 
gine  room  automation  systems,  it  seems  reasonable  to  estimate 
that  over  50  or  60  percent  of  all  failures  would  involve  extreme 
failure  modes. 

The  remaining  failure  modes  would  involve  intermittents , 
degradation,  etc.  Some  of  these  would  cause,  if  only  momen¬ 
tarily,  the  same  effects  as  would  an  extreme  failure  mode.  For 
instance,  an  intermittent  could  involve  a  short-term,  fail-short 
condition.  It  is  difficult  to  estimate  the  percentage  of  fail¬ 
ure  inodes  that  could  manifest  these  effects,  but  15  percent 
would  seem  extremely  low. 

Thus,  considerably  under  25  percent  of  the  failures  would 
involve  “real  life*  failure  modes  that  were  neither  extreme  nor 
manifested  in  the  same  effects  as  those  for  extreme  failure 
modes.  Since,  as  indicated  earlier,  the  FMEA's  reflect  worst 
case  boundaries,  the  effects  of  these  types  of  failure  modes  can 
be  reasonably  expected  to  lie  “somewhere  between"  the  failure 
effects  delineated  in  the  FMEA's.  That  is,  they  should  cer¬ 
tainly  not  introduce  any  effects  “worse"  than  those  already 
identified  in  the  FMEA's. 


0.(2)  FMEA  Comparability 

An  overall  ground  rule  for  the  study  was  that  analytical 
results  for  the  three  ships  be  directly  comparable.  To  this 
end,  the  FMEA's  for  all  three  ships  utilized  the  same  approach 
and  the  same  failure  modes.  Differences  in  the  FMEA's  are, 
therefore,  due  to  differences  in  the  design  approach  and  imple¬ 
mentation  of  the  control  systems. 

Differences  in  the  control  systems,  and  hence  the  FMEA's, 
for  Ships  A  and  B  (the  two  steam  vessels)  are  due  to  two  fac¬ 
tors.  First,  the  design  approach  differs,  with  Ship  A  utilizing 
a  hybrid  digital/pneumatic  system,  while  Ship  B  utilizes  a  hy- 


brid  digital/analog  system.  Second,  the  digital  logic  on  Ship  A 
is  significantly  more  complicated  than  that  on  Ship  B,  with  a 
concomitant  increase  in  the  number  and  complexity  of  the  failure 
effects.  The  control  system  on  Ship  C  (the  diesel  vessel)  ob¬ 
viously  differs  from  those  on  Ships  A  and  B.  Tables  VII-1, 

VJ.I-2  and  VXI-3  gives  the  subsystem  breakdown  for  the  three 
ships  and  the  associated  reference  numbers  used  in  the  FMEA. 

Except  for  the  differences  dictated  by  xhe  different  con¬ 
trol  system  design  approaches,  there  is  only  one  other  minor 
difference  in  the  FMEA's  for  the  three  ships,  and  this  is  a 
function  of  implementation.  On  Ship  A,  more  parts  could  be 
grouped  together  than  on  Ship  B,  and,  to  a  lesser  extent,  than 
on  Ship  C.  The  FMEA  entries  for  Ships  B  and  C  consist  of  a 
large  number  of  single  parts,  primarily  logic  gates.  The 
failure  modes  considered  for  these  gates  were  fail  high/fail 
low. 

Or>  Ship  A,  a  large  number  of  FMEA  entries  involve  several 
parts  that  could  be  grouped  together  as  discussed  above.  Groups 
involving  a  "chain*  with  an  input  circuit,  inverter,  and  a  gate 
or  two  occur  quite  frequently.  It  is  not  accurate  iu  such  a 
group  to  speak  of  "fail  high"  or  "fail  low”  failure  modes 
because  a  signal  that  "failed  high*  at  one  point  in  the  chain 
would  be  equivalent  to  one  that  "failed  low”  on  the  other  side 
of  an  inverting  logic  element.  Thus,  the  failure  modes  consi¬ 
dered  were  "fail  true"  and  "fail  false,"  where  the  distinction 
between  "true*  and  "false*  was  based  on  the  purpose  of  the  group 
of  elements.  A  signal  whose  purpose,  for  instance,  is  to 
indicate  that  all  burner  valves  are  closed,  was  considered  to 
have  "failed  true*  when  the  failure  made  it  appear  that  all 
burner  valves  were  closed.  It  was  considered  to  have  "failed 
false"  when  the  failure  indicated  that  all  burner  valves  were 
not  closed.  The  failure  effects  identified  through  these 
true/false  failure  modes  would  be  identical  to  those  identified 
if  each  element  in  the  chain  had  individually  been  considered  to 
have  failed  high/low. 

None  of  these  differences  impact  the  comparability  of  the 
FMEA's.  While  each  ship's  FMEA  identifies  failure  effects  si¬ 
milar  or  identical  to  those  on  the  other  ships,  each  FMEA  also 
contains  a  number  of  failure  effects  unique  to  each  particular 
system.  These  differences  in  failure  effects  simply  reflect 
different  design  and  implementation  approaches. 


TABLE  VTI-1 

Ship  A  Subsystem  Breakdown 


1.0  Boiler  Control 

1.1  Load  and  Combustion  Control 

1.1.1  Purge  Control 

1.1.2  Prelight  Control 

1.1.3  Boiler  Safety  Logic 

1.1.4  Burner  Logic 

1.1.5  Burner  Demand  Sequencing 

1.1.6  Combustion  Air  Control 

1.1.7  Fuel  Oil  Control 

1.1. 7.1  Fuel  Oil  Flow  Control 

1. 1.7.2  Fuel  Oil  Temperature  and  Pressure 
Control 

1. 1.7.3  Fuel  Oil  Supply  control 

1.1.8  Feedwater/Drum  Level  Control 

1.1.9  Master  Load  Control 

1.2  Boiler  Local  Panel 

2.0  Superheated  Steam  Temperature  Control 

3.0  Desuperheated  Steam  Control  (including  Atomizing  and  Gland 
Steam) 

4.0  Exhaust  and  Bleed  Steam  Control 
5.0  Low  Pressure  Steam  Generator  Control 
6.0  Third  and  Fourth  Stage  Feed  Heater  Control 
7.0  Lube  Oil  Control 
8.0  Condensate  System  Control 
9.0  Miscellaneous  Alarms  and  Indications 
10.0  Main  Engine  Control 


V 
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TABLE  VI I- 2 

Ship  B  Subsystem  Breakdown 


1.0  Burner  Management,  Master 
2.0  Burner  Module 

3.0  Combustion  Control,  Boiler  Demand  Logic 
4.0  Combustion  Control 
6.0  Drum  Level  Control 
7.0  Feedwater  Control 

8.0  Feedwater  Recirculation  Valve  Control 
9.0  Superheated  Steam  Temperature  Control 
10.0  Steam  Dump  Control 

11.0  Forward  Feedpump  Start/Stop  Control  Module 
12.0  Fuel  Oil  Header  Temperature 
13.0  F.O.  Recirculation  Control 
14,0  L.O.  Pump  Controls 
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TABLE  VII-3 

Ship  C  Subsystem  Breakdown 


1.0  Station  in  Control  Logic 

1.1  Control  Transfer  Logic 

1.2  Control  Transfer  Input  Interface 

1.3  Control  Transfer  Output  Interface 

2.0  Propulsion  Control 

2.1  Engine  and  Clutch  Control  Logic 

2.2  Engine  and  Clutch  Control  Input  Interface 

2.3  Engine  and  Clutch  Control  Output  Interface 

3 . 0  Mode  Control 

3.1  Mode  Control  Logic 

3.2  Mode  Control  Input  Interface 

3.3  Mode  Control  Output  Interface 

4.0  Pitch  Control 

4.1  Pitch  Controller 

4.2  Pitch  Controller  Input  Interface 

4.3  Pitch  Controller  Output  Interface 

4 . 4  Pitch  Cutback 

4.5  Pitch  Cutback  Input  Interface 


VIII.  FAULT  TREE  ANALYSIS 


A.  GENERAL  DISCUSSION 

Fault  tree  analysis  is  a  systematic  method  for  acquiring 
information  concerning  abnormal  behavior  of  a  subsystem.  The 
initial  process  in  the  fault  tree  analysis  is  to  determine  one 
or  more  undesirable  events  that  abnormal  behavior  of  the  system 
could  possibly  produce.  Each  event  is  then  individually  ana¬ 
lyzed  to  determine  its  possible  causes.  The  undesirable  system 
events  constitute  the  top-level  events  in  a  fault  tree  diagram. 
This  diagram  constitutes  a  graphical  model  of  the  parallel  and 
sequential  combinations  of  faults  which  could  cause  the  occur¬ 
rence  of  each  pre-defined  top-level  undesirable  event. 

The  fault  tree  diagram  is  an  arrangement  of  logical  ele¬ 
ments  known  as  "gates"  which  permit  or  inhibit  the  passage  of 
fault  conditions  up  the  tree.  In  other  words,  the  gates  show 
the  relationship  of  events  needed  for  the  occurrence  of  higher 
events.  The  higher  event  is  the  output  of  the  gate,  lower 
events  are  the  inputs  into  the  gate.  The  gate  symbols  denote 
the  type  of  relationship  required  for  the  input  events  to  pro¬ 
duce  the  output  event.  Standard  symbology  has  been  adopted  for 
the  construction  of  fault  trees,  and  the  logic  symbols  used 
during  this  study  are  as  follows: 


A.  (1)  Primary  Events 

Primary  fault  tree  events  are  those  which,  for  one  reason 
or  another,  have  not  been  further  developed.  For  these  primary 
events,  probabilities  have  been  determined.  Four  types  of 
primary  events  were  used  in  this  study.  They  are: 


A. (1) (a)  The  Basic  Event 
* 


The  circle  describes  a  basic,  initiating  fault  event  that 
requires  no  further  development,  and  signifies  that  the  appro¬ 
priate  limit  of  resolution  has  been  reached.  Events  represented 
by  circles  are  either  component  failures  or  groups  of  component 
failures,  and  form  the  bottom-most  levels  of  the  fault  tree 
diagrams. 
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The  diamond  describes  a  specific  event  that  is  not  further 
developed  either  1)  because  the  event  is  of  insufficient  conse¬ 
quence  or  2)  because  information  relevant  to  the  event  is  un¬ 
available.'  In  most  cases,  diamonds  represent  failures  or  con¬ 
ditions  outside  of  the  scope  of  this  study,  such  as  conditions 
involving  crew  actions  or  hardware  failures  outside  the  control 
systems.  Probabilities  were  assigned  to  events  represented  by 
diamonds  in  order  to  obtain  more  meaningful  probabilities  of  the 
top-level  events. 


A. (l)(c)  The  Conditioning  Event 


The  ellipse  is  used  to  record  any  conditions  or  restric¬ 
tions  that  apply  to  a  logic  gate.  It  is  used  in  this  study  to 
qualify  when  certain  events  occur,  e.g.,  during  low  demand, 
during  maneuvering,  etc. 


A.  (1)  <d) 


The  External  Event 


The  house  is  used  to  signify  an  event  that  is  normally 
expected  to  occur:  e.g.,  fuel  oil  is  available  when  needed. 
Thus,  the  house  symbol  displays  events  that  are  not,  of  them¬ 
selves,  faults. 


A. (2)  Intermediate  Events 


An  intermediate  event  is  a  fault  condition  or  contributing 
factor  occurring  because  one  or  more  preceding  events  require 
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further  definition  prior  to  an  input  logic  gate.  All  interme¬ 
diate  events  are  symbolized  by  rectangles,  i.e.. 


A.  (3 )  SATES 

Two  basic  fault  tree  gates  were  used  in  this  analysis:  the 
OR-gate  and  the  AND-gate.  The  inhibit  gate,  a  variant  of  the 
AND-gate,  was  also  used. 


A. (3 ) (a)  The  OR-Gate 


The  OR-gate  is  used  to  show  that  the  output  event  occurs  if 
one  or  more  of  the  input  events  occur.  There  may  be  any  number 
of  input  events  to  an  OR-gate.  The  figure  below  shows  a  typical 
two-input  OR-gate  with,  input  events  A  and  B,and  output  event  Q. 
Event  Q  occurs  if  A  occurs  or  B  occurs. 


THE  OR-GATE 


A. (3) (b)  The  AND-Gate 


The  AND-gate  is  used  to  show  that  the  output  Jault  occurs 
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only  if  all  input  faults  occur.  There  may  be  any  number  of 
input  faults  to  an  AND-gate.  The  figure  below  shows  a  typical 
two- input  AND-gate  with  input  events  A  and  B,  and  output  event 
Q.  Event  Q  occurs  only  if  events  A  and  B  both  occur. 


A. ( 3 ) ( c )  The  INHIBIT-Gate 


0~ 

The  INHIBIT-gate,  represented  by  the  hexagon,  is  a  special 
case  of  the  AND-gate.  The  output  is  caused  by  a  single  input, 
but  some  qualifying  condition  must  be  satisfied  before  the  input 
can  produce  the  output.  The  qualifying  condition  is  termed  the 
conditional  input,  and  is  described  within  an  ellipse  drawn  to 
the  right  of  the  inhibit  gate.  The  figue  below  shows  a  typical 
INHIBIT-gate  with  input  A,  conditional  input  B  and  output  Q. 
Event  Q  occurs  only  if  input  A  occurs  under  the  condition  spe¬ 
cified  by  input  B. 
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A. (4}  Transfers  Within  The  Fault  Tree 


Transfers  within  a  fault  tree  are  used  as  a  matter  of  con¬ 
venience  to  avoid  extensive  duplication  or  to  continue  the  fault 
tree  diagram  on  another  page.  Triangles  are  used  to  indicate 
tranfer  symbols.  A  line  from  the  apex  of  the  triangle  denotes  a 
"transfer  in",  and  a  line  from  the  side,  a  "transfer  out".  A 
"transfer  in"  attached  to  a  gate  will  link  to  its  corresponding 
"transfer  out".  Thi3  "transfer  out",  perhaps  on  another  sheet 
of  paper,  will  contain  a  further  portion  of  the  tree  describing 
input  to  the  gata.  All  transfer  symbols  are  numbered  so  that 
the  inputs /outputs  can  be  traced.  In  some  cases,  such  as  for 
"manual  intervention",  the  same  branch  of  the  tree  is  used  re¬ 
petitively.  In  these  cases  the  branch  is  only  drawn  once, 
although  the  transfer  in  symbol  is  shown  many  times. 

Transfer  in 


A. (5)  Construction  Rules 

Certain  rules  were  used  in  the  construction  of  the  fault 
trees  and  these  are  as  follows: 


a)  Each  statement  entered  into  an  event  box  is  a 
description  of  a  fault.  This  description  states 
what  the  fault  is  and  when  it  occurs. 

b )  Faults  are  either  component  faults  or 

system  faults.  Component  faults  are,  obviously,  the 
result  of  a  component  failure.  If  the  fault  is  not 
the  result  of  a  component  failure,  it  is  then 
classified  as  a  "state  of  the  system  fault."  For 
component  faults,  the  failure  is  the  primary  event. 

For  a  "state  of  the  system  faults,"  the  causes  are 
identified  with  further  gates. 

c)  If  a  failure  can  be  inhibited  by  a  second  failure, 
it  was  assumed  that  the  second  failure  does  not  occur 
and  that  the  first  failure  was  therefore  not 
inhibited.  In  other  words,  it  was  assumed  that  if  a 
normally  functioning  component  could  propagate  a 
fault,  it  would  not  fail  such  as  to  inhibit  further 
development  of  the  fault. 
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The  fault  tree  procedures  as  described  above  provide  a 
logical  sequence  for  pictorially  describing  the  series  of  events 
contributing  to  the  top-level  faults  or  undesirable  events.  Prom 
this  pictorial  depiction,  fault  trees  can  be  qualitatively 
evaluated.  They  can  also  be  quantitatively  evaluated  through  a 
process  described  in  the  following  paragraphs. 


B.  QUANTITATIVE  FAULT  TREE  ANALYSIS  THROUGH  BOOLEAN  ALGEBRA 

By  applying  the  principals  of  Boolean  algebra,  fault 
tree  pictorial  representations  of  events  can  be  translated  to 
quantitative  values.  This  can  be  accomplished  through 
expressing  the  top  events  of  a  fault  tree  in  terms  of  their 
Boolean  relationships  to  the  lower  level  fault  events.  However, 
before  this  mathematical  analogy  can  be  shown,  an  explanation  of 
the  rules  of  Boolean  algebra  is  necessary. 


B. (1)  Rules  of  Boolean  Algebra 


As  previously  discussed,  the  two  basic  gate  categories  are 
the  OR-gate  and  the  AND-gate,  and  these  pictorially  relate  fault 
tree  events  to  Boolean  algebra  operations  discussed  above.  Each 
gate  has  one  output  and  one  or  more  inputs.  For  an  OR  gate,  the 
Boolean  operator  is  denoted  by  the  ■+".  Thus  an  OR  gate  with 
inputs  A  and  B  and  output  Q  would  be  represented  in  Boolean 
terms  as: 


Q  -  A  +  B 

Since  probabilities  are  dealt  with  in  fault  trees,  the 
probability  of  Q  is  the  probability  of  A  OR  the  probability  of 
B.  If  the  probabilities  are  quite  small  (much  less  than  10%)  the 
expression  becomes: 


If  the  probabilities  are  not  small,  a  qualifying  term  must 
be  included,  and  the  OR  expression  becomes: 

PQ  -  ,PA  +  V'1  *  W 

For  fault  trees  such  as  those  developed  during  the  DOVAP  study, 
probabilities  are  developed  from  the  part  failure  rates.  Recall 
from  section  II  that  the  reliability  R,  of  an  equipment  is  the 
probability  that  it  will  not  fail.  The  probability  that  it  will 
fail  is  therefore: 

P  «  1  -  R,  or  1  -  e”xt 
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and  such  probabilities  can  be  "plugged  into"  Boolean  expres¬ 
sions  . 

For  an  AND  gate,  the  Boolean  operator  is  denoted  by  the 
Thus  an  AND  gate  with  inputs  A  and  B  and  output  Q  would  be 
represented  in  Boolean  terms  as: 

Q  ■  (A) (B) 

Again,  since  probabilities  are  dealt  with  in  the  fault  trees, 
the  expression  becomes 


PQ  =  cpaxpb> 

The  AND  and  OR  operators  in  Boolean  algebra  are  manipulated 
exactly  as  in  ordinary  algebra.  Thus,  if  PA  was  3  percent  and 
was  2  percent,  the  OR  expression  would  be: 

PQ  -  0.03  +  0.02  *  0.05  »  5%, 

or,  in  other  words,  Q  would  have  a  probability  of  occurrence  of 
5  percent.  The  AND  situation  would  be  expressed  as: 

PQ  *  (0. 03X0.02)  *  0.0004  *  0.04%, 

or,  in  other  words,  Q  would  have  a  probability  of  occurrence  of 
four-hundredths  of  a  percent. 

There  are  far  more  types  of  manipulatons  possible  with 
Boolean  algebra  per  se,  and  with  its  application  to  fault  trees. 

However,  the  fault  tree  analysis  on  the  DOVAP  study  had  no  oc¬ 
casion  to  go  beyond  the  straight  forward  AND-OR  relationships 
described  above.  For  further  information  or  more  complicated 
fault  tree  manipulations,  the  reader  is  referred  to  "Fault  Tree 
Handbook",  published  by  the  U.S.  Nuclear  Regulatory  Commission, 
NUREG-G492 ,  January,  1981,  as  a  good  source  of  information. 


C.  FAULT  TREE  MODELS  AND  ASSUMPTIONS 

Fault  tree  analyses  describe  analytically  the  undesired 
states  of  the  systems,  and  all  credible  ways  ir.  which  the  un¬ 
desired  events  can  occur.  The  fault  trees  are  graphic  models  of 
the  various  parallel  and  sequential  combinations  of  faults  that 
will  result  in  the  occurrence  of  the  predefined  undesired  event. 

For  the  fault  trees  developed  during  this  study,  the  top 
undesirable  events  were  defined  in  the  Statement  of  Work.  Due 
to  the  basic  differences  between  diesel  and  steam  systems,  the 
top,  undesirable  events  are  somewhat  different  for  the  two  types 
of  systems.  For  the  steam  system,  the  following  are  the  top 
undesirable  events: 
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a)  Unscheduled  propulsion  system  shutdown  due  to 
automation  control  failures 


b)  Loss  of  turbine  RPM  control  due  to  automation 
control  failures. 

c)  Loss  of  directional  control  due  to  automation 
control  failures. 

For  the  diesel  system,  the  following  are  the  top  events: 

a)  Vessel  does  not  maintain  way  as  commanded. 

b)  Vessel  does  not  respond  correctly  to 
speed/direction  change  commands. 

c)  Uncommanded  speed/direction  changes. 

For  the  steam  systems  the  top  level  unscheduled  shutdown 
was  further  divided  into  shutdowns  due  to  either  boiler  or  tur¬ 
bine  shutdowns  and  shutdowns  due  to  either  boiler  over-pressure 
or  explosion.  The  fault  trees  for  all  3  systems  are  presented 
in  Appendix  E. 

Because  of  the  complexity  of  the  evaluations,  certain  as¬ 
sumptions  had  to  be  made.  These  assumptions  are  based  on  the 
most  likely  events  and  may  not  be  100  percent  correct.  However, 
they  appear  reasonable  for  this  study. 

One  assumption  is  that  component  failures  are  independent. 
Common  cause  failures,  that  is,  those  where  a  single  failure  can 
cause  several  failure  modes,  were  not  evaluated.  The  effort 
required  to  identify  common  cause  failures  and  failure  modes 
would  require  a  separate  study  by  itself. 

Manual  backup  or  efforts  are  represented  by  one  branch  of 
the  logic  tree,  and  this  is  repeated  for  each  occasion  where 
manual  intervention  could  take  place.  This  sub-tree  covers  the 
situation  where  manual  intervention  could  preclude  a  fault. 

Such  intervention  would  not  be  effective  if  the  alarm  fails,  and 
therefore  does  not  alert  the  crew,  or  if  the  alarm  sounds  but 
crew  action  is  inadequate. 

In  order  to  emphasize  the  tremendous  importance  of  the 
crew  taking  the  proper  corrective  action,  the  fault  trees  were 
calculated  twice,  once  with  the  crew  action  never  being  correct, 
and  the  second  time  with  the  crew's  action  correct  90  percent  of 
the  time.  The  true  probability  of  the  crew  performing  the 
correct  action  is  probably  somewhere  between  50  and  90  percent 
but  there  is  no  data  to  substantiate  this. 

The  quantitative  evaluation  of  explosions  as  related  to 
the  top  undesirable  events  became  nebulous.  Explosions  can 
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range  anywhere  from  a  slight  chimney  puff  to  severe  boiler  da¬ 
mage  and  possible  injury  or  death  to  crew  members.  Most  explo¬ 
sions  are  the  result  of  a  series  of  undesirable  faults,  some  of 
which  cannot  be  controlled  by  the  automation  system.  Also, 
explosions  can  result  in  considerable  secondary  damage.  There¬ 
fore,  it  was  assumed  that  the  top  most  fault  resulting  from 
explosions  would  be  that  the  turbine  would  be  shutdown  to  assess 
and  repair  damage. 

In  general,  the  quantitative  estimates  of  the  fault  tree 
analysis  are  on  the  pessimistic  side.  The  fault  trees  contain 
many  AND  conditions  representative  of  a  combination  of  the  con¬ 
trol  system  functions  and  other  turbine  or  boiler  hardware 
failures.  Because  these  combination- type  events'  were  so  inter¬ 
related  with  the  top  undesirable  events,  it  was  felt  that  such 
occurrences  involving  non-control  functions  should  be  included 
rather  than  assuming  that  they  would  not  occur.  As  an  example, 
the  possibility  of  turbine  damage  due  to  high  vibration  is  the 
probability  that  the  turbine  high  vibration  trip  mechanism  does 
not  work  and  the  occurrence  of  high  turbine  vibration  levels. 
This  is  an  AND  condition,  where  the  two  events  must  occur.  The 
probability  of  high  vibration  levels  could  not  be  determined 
during  this  study  and,  therefore,  a  value  had  to  be  assumed. 
Again,  the  vibration  is  not  a  function  of  the  automated  control 
system;  however,  the  combined  event  directly  relates  to  the 
possibility  of  damage  to  the  turbine. 

The  probabilities  of  boiler  damage  as  well  as  turbine  dam¬ 
age  are  also  on  the  pessimistic  side.  In  most  cases,  damage 
resulting  from  control  system  failures  is  not  instantaneous. 
Usually,  the  condition  degrades  due  to  a  series  of  failures  or  a 
failure  that  allows  the  system  to  be  run  improperly  for  a  period 
of  time.  However,  the  time  effect  could  not  be  evaluated  in 
this  analysis  and  it  was  assumed  that  all  conditions  that  could 
result  in  damage  occurred  instantaneously. 

The  fault  trees  were  developed  to  the  level  sufficient  to 
identify  primary  component  failures.  Where  several  component 
failures  resulted  in  a  same  system  effect,  the  component  fail¬ 
ures  were  grouped  together  and  given  a  reference  number.  All 
primary  events  contain  one  or  more  reference  numbers.  The  in¬ 
dividual  failure  modes  included  in  the  reference  numbers  can  be 
obtained  by  finding  the  number  in  the  failure  modes  and  effects 
analysis  summary  sheets,  which  in  turn,  list  the  individual 
failure  mode  line  items.  This  grouping  of  failure  modes  causing 
the  same  effects  results  in  simplified  fault  trees.  In  many 
cases,  there  are  10  to  15  "OR"  conditions  that  would  result  in 
the  same  system  effect.  The  depth  of  the  fault  trees  is 
anywhere  from  2  to  10  levels.  Adding  separate  primary  event 
circles  for  each  component  failure  mode  would  only  clutter  the 
already  complex  fault  trees  and  add  nothing  to  the  logic. 
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POINTS  OF  INTEREST 


0. (1 )  General 

The  fault  trees  for  all  3  vessels  exhibit  2  major  types  of 
similarities.  These  are  (1)  a  larger  number  of  OR-gate  rela¬ 
tionships  than  is  usually  the  case  with  fault  trees  and  (2)  many 
AND-gate  relationships  characterized  by  some  conditional  "input" 
reflecting,  for  instance,  manual  intervention  by  the  crew,  the 
existence  of  a  particular  operating  mode,  etc..  Another  type  of 
similarity  exists  between  Ship  C  (the  diesel  vessel)  and  the  2 
steam  vessels.  That  is,  fairly  close  parallels  exist  between 
speed  and  direction  control  faults  due  to  pitch  control  mal¬ 
functions  on  Ship  C  and  throttle  control  malfunctions  on  Ships  A 
and  B.  In  one  other  area,  there  are  a  few  points  of  similarity, 
namely,  the  fault  tree  logic  for  the  2  steam  vessels  is  somewhat 
similar  in  some  cases.  These  areas  of  similarity  are  discussed 
below. 


D.(l)(a)  AND-Gate/OR-Gate  Relationships: 

The  larger  than  usual  number  of  OR-gates,  and  the  conse¬ 
quent  less  than  usual  number  of  AND-gates,  in  all  3  fault  trees 
steins  from  a  basic  characteristic  of  control  systems.  Since 
their  purpose  is  to  regulate  and  change,  as  required,  overall 
system  operation,  there  is  no  "buffer  zone"  between  the  controls 
and  overall  system  status.  In  other  words,  the  function  of  the 
controls  is  to  "tell"  the  overall  system  what  to  do,  and  to 
accomplish  this,  the  controls  must  have  direct  access  to  the 
system  hardware  being  controlled.  This  implies  that  once  the 
controls  have  generated  any  particular  command,  either  legiti¬ 
mately  or  due  to  malfunction,  the  command  will  be  acted  upon. 
These  resulting  actions  can  range  from  opening  or  closing  the 
turbine  steam  valves  to  inserting  a  burner  ignitor. 

If  commands  for  such  actions  are  generated  as  a  result  of  a 
malfunction,  they  will  appear  in  the  fault  trees  in  an  AND-gate 
relationship  only  if  other  conditions  are  required  for  the  ac¬ 
tion  to  be  carried  out.  Redundancy  is  one  such  condition.  In 
the  systems  evaluated,  only  2  areas  of  redundancy  were  found. 
These  were  in  the  control  systems'  power  supplies  and  in  trip 
circuitry.  For  power  supply  malfunctions  to  cause  control  sys¬ 
tem  faults.  Power  Supply  #1  and  Power  Supply  #2  must  fail.  The 
redundancy  in  the  trip  circuitry  is,  implemented  to  ensure  that 
if  a  trip  condition  exists,  a  trip  will  occur.  Thus,  loss  of 
trip  capability  requires  that  Trip  Circuit  |1  and  Trip  Circuit 
#2  both  fail  in  such  a  manner  that  trip  conditions  are  not  re¬ 
cognized.  The  fault  tree  AND-gates  resulting  from  these  redun¬ 
dancies,  however,  number  fewer  than  half  a  dozen. 

Another  area  that  can  be  thought  of  as  redundant  exists  for 
all  3  ships.  This  involves  the  2  boilers  on  both  Ships  A  and  B, 
and  the  2  diesel  engines  on  Ship  C.  under  some  conditions,  both 
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boilers  or  engines  must  be  affected  by  control  system  failures 
to  produce  an  upper  level  fault  tree  event.  An  example  of  an 
AND-gate  relationship  depicting  this  situation  would  be  inde¬ 
pendent  failures  that  cause  shutdown  of  both  Boiler  #1  (or  En¬ 
gine  #1)  and  Boiler/Engine  #2.  The  3  burners  per  boiler  on  Ship 
A  and  the  2  burners  per  boiler  on  Ship  B  reflect  a  similar  si¬ 
tuation  in  the  fault  trees.  These  boiler-burner-engine  AND- re¬ 
lationships  constitute  very  roughly  about  a  third  of  all  fault 
tree  AND-gates. 

Very  roughly  about  another  third  of  the  fault  tree 
AND-gates  represent  situations  where  manual  intervention  can 
prevent  the  fault  fro®  "taking  effect."  These  situations  in¬ 
volve  processes  which  continue  somewhat  normally  for  some  finite 
period  after  the  failure  has  occurred.  If  the  crew  is  alerted 
to  such  a  condition,  and  takes  the  proper  action,  the  fault  can 
be  avoided.  An  example  would  be  a  failure  that  shuts  down  the 
feedwater  supply  to  a  boiler.  Following  the  loss  of  the  feed- 
water  supply,  a  few  minutes  would  be  available  to  activate  a 
back-up  supply  if  the  crew  was  alerted  by  a  drum-level  low  alarm 
and  then  responded  correctly.  These  situations  are  depicted  in 
the  fault  trees  as  "failure  occurs  and  manual  intervention  is 
not  effective."  Obviously,  non-effective  manual  intervention  can 
be  caused  by  loss  of  the  alerting  alarm,  failure  of  the  crew  to 
respond  to  the  alarm,  or  incorrect  crew  action  after  responding 
to  the  alarm. 

The  remaining  approximately  one-third  of  the  fault  tree 
AND-gates  reflect  some  type  of  conditional  requirements.  In 
these  situations,  both  the  specific  hardware  failure  and  some 
other  condition  must  exist  for  the  upper  level  fault  to  occur. 
For  a  potential  boiler  explosion,  for  instance,  both  a  fuel 
source  and  a  combustion  source  must  exist.  For  a  potential 
boiler  overpressure,  steam  demand  must  decrease  and  steam  supply 
must  fail  to  be  cut  back.  Other  examples  would  include  failures 
which  effected  only  certain  modes  of  operation;  e.g.,  less  of 
speed  control  in  the  manuevering  mode.  (The  fault  tree  would 
require  that  this  failure  occurred  and  that  the  vessel  was  in 
the  maneuvering  mode. ) 

On  the  2  steam  vessels,  there  is  about  a  50-50  ratio  of  AND 
to  OR  gates  in  the  fault  trees.  On  the  diesel  vessel,  the  ratio 
is  about  85  percent  OR's  to  15  percent  AND’s.  This  number  of 
OR-gates  implies  that  many  failures  can  "ripple  up"  to  the  top 
of  the  trees  with  little  to  impede  them. 

D.(l)(b)  Diesel/Steam  Vessel  Similarity: 

As  indicated  above,  there  are  fairly  close  parallels  be¬ 
tween  speed  and  direction  control  faults  due  to  pitch  control 
malfunctions  on  Ship  C  and  throttle  control  malfunctions  on 
Ships  A  and  B.  This  is  to  be  expected  since  the  functions  of 
pitch  control  and  throttle  control  are  essentially  identical. 
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Also,  both  pitch  control  and  throttle  control  have  "direct  ac¬ 
cess,"  as  discussed  above,  co  the  vessel  hardware  being  con¬ 
trolled.  (Throttle  valves  on  the  turbine  vessels  arid  CPP  on  the 
diesel  vessel.)  Many  possible  control  failures  will  therefore 
result  in  incorrect  commands  to  the  controlled  elements. 


D. ( 1 ) (c  )  Similarity  Of  The  Turbine  Vessels: 

As  noted  above,  there  are  a  few  points  of  similarity  in  the 
logic  layouts  of  the  fault  trees  for  Ships  A  and  B,  Major  dif¬ 
ferences  involve  the  1  burners  per  boiler  on  Ship  A  vs,  2 
burners  per  boiler  on  Ship  B,  the  inclusion  of  automatic  burner 
demand  sequencing  on  Ship  A,  the  provision  of  more  trip  features 
on  Ship  B,  etc..  The  individual  fault  tree  probabilities  are, 
of  course,  different  for  the  2  ships  due  to  such  factors  as  the 
use  of  pneumatics  on  Ship  A,  the  hardware  required  for  control 
of  the  third  burner,  etc.. 

The  similarity  of  the  fault  tree  layouts  for  the  2  vessels 
exists  at  the  top-most  and  bottom-most  levels  and  indicates  that 
while  the  i ttermediate  paths  differ,  neither  system  introduces 
many  unique  fault  events  of  its  own.  Since  only  2  systems  were 
evaluated,  it  is  not  reasonable  to  conclude  that  this  would  be 
the  case  for  any  steam  control  system.  Since  the  systems 
evaluated  utilized  different  technological  approaches,  however, 
it  does  not  seem  likely  that  other  systems  would  introduce  fault 
tree  relationships  vastly  different  fron:  those  identified  during 
this  study. 


D. (2)  Quantitative  points  Of  Interest 
0.(2)  (a)  Ships  A  and  B 

A  significant  point  of  interest  with  respect  to  the  steam 
vessel  fault  tree  quantitative  analysis  concerns  the  effect  of 
manual  intervention.  By  computing  the  probabilities  twice,  once 
assuming  that  manual  intervention  was  never  effective,  and  once 
assuming  that  it  was  effective  90*  of  the  time,  considerable 
overall  difference  in  the  numer.ca,  results  occurred.  As 
discussed  in  the  following  section,  this  uanual  intervention  is 
primarily  possible  because  of  the  grace  period  provided  by 
pipeline  processes.  At  the  tof  level  of  the  fault  tree, 
effective  intervention  actions  can  approximately  halve  the 
probability  of  the  fault. 

Another  point  of  interest  concerns  boiler  explosions.  The 
top  level  probability  of  this  fault  is  quite  low,  in  part  be¬ 
cause  of  the  AND-gates  in  this  logic.  A  significant  number  of 
these  AND-gates  depict  the'  conditions  needed  for  an  explosion, 
e.g.,  a  fuel  source  AND  an  ignition  source.  Also,  while  there 
are  a  number  of  potentially  critical  failure,  modes  in  this  log- 
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ic,  e.g.,  purge  occurs  without  airflow,  most  of  the  failure  mode 
probabilities  are  low. 


The  top  level  probability  of  boiler  overpressure  is  also 
quite  low.  This  chiefly  occurs  because  overpressure  conditions 
are  provided  with  protective  trips  and  shutdowns.  For  an 
overpressure  fault  to  occur,  both  an  overpressure  condition  AND 
loss  of  overpressure  protection  must  occur.  In  general,  the 
probabilities  of  losing  the  protection  features  are  quite  low. 

The  probabilities  associated  with  loss  of  both  boilers  and 
turbine  shutdown  are  relatively  h-gh.  This  occurs  in  part  be¬ 
cause  the  fault  tree  logic  for  both  of  these  faults  involves  a 
large  number  of  QR-gates.  Also,  there  are  several  failure  inodes 
with  relatively  high  probabilities.  Both  the  number  of  OR-gates 
and  the  relatively  high  probability  failure  inodes  results  in  a 
number  of  fault  paths  with  higher  probabilities  than  is  gener¬ 
ally  the  case  for  other  fault  tree  logic. 

In  the  area  of  turbine  damage,  a  large  portion  of  the 
failure  modes  contributing  to  the  top  events  are  provided  with 
protective  features.  Where  trips  are  provided,  an  AND  situation 
occurs  because  the  failure  mode  must  occur  AND  the  protective 
feature  must  fail  to  result  in  turbine  damage.  Such  AND 
conditions  significantly  reduce  the  probability  of  damage  from 
the  their  associated  failure  modes.  Where  no  protection 
features  are  provided,  the  resulting  OR  situations  cause  the 
associated  failure  mode  probabilites  to  accumulate. 

The  top  level  probability  for  speed/direction  control 
faults  is  quite  low.  This  occurs  because  of  the  AND  situation 
depicting  the  backup  provided  by  the  handpump  and  turning  gear. 
Without  these  backup  provisions,  the  top  level  probability  would 
be  significantly  higher.  Also,  a  considerable  portion  of  it 
would  be  due  to  failures  in  the  hydraulics. 


D.  <2  Mb)  Ship  C 

The  Ship  C  fault  tree  is  characterized  by  threu  tv1  jor  quan¬ 
titative  points  of  interest.  These  are: 

a)  There  are  very  few  areas  where  manual  intervention  to 
preclude  the  failure  effect  is  possible,  and 
numerically,  these  do  not  impact  the  results  at  all; 

b)  The  individual  failure  inodes  have  quite  low 
probabilities,  with  the  result  that  upper  level 
probabilities  are  also  low; 

c)  The  tree  logic  contains  a  large  proportion  of  OR-gates, 
but  due  to  the  low"  individual  probabilities  this  does 
not  lead  to  relatively  high  upper  level  probabilities. 
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Another  point  of  interest  is  that  all  upper  level  events  are 
very  roughly  equally  likely. 

The  numerical  implications  of  the  Ship  C  Fault  Tree  can  be 
summed  up  as  follows:  Any  fault  event  is  quite  roughly  just 
about  as  likely  as  any  other,  although  all  are  relatively  un¬ 
likely.  If  a  fault  event  does  occur,  however,  it  will  generally 
occur  without  warning  and  with  no  chance  of  the  crew  precluding 
its  effect. 
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IX.  CRITICALITY  ANALYSIS 


A.  GENERAL  CRITICALITY  ASPECTS 

During  the  FMEA  and  fault  tree  analyses,  it  was  found  that 
engine  room  automation  systems  exhibit  2  classes  of  system 
failure  effects.  The  first  class  can  be  termed  "immediate,” 
since  if  the  specific  failure  occurs,  its  effect  will  occur 
immediately,  without  warning,  and  with  no  possibility  of  manual 
intervention  by  the  crew  to  prevent  or  mitigate  the  failure 
effect.  The  second  class  can  be  termed  "failure  effect 
pending,"  since  there  will  be  some  finite  period  between  the 
time  of  the  failure  and  the  point  at  which  its  failure  effect  is 
manifested.  During  this  period,  it  is  theoretically  possible  for 
the  crew  to  perform  some  mitigating  action  so  that  normal 
operation  is  not  interrupted. 

Failure  effects  in  the  immediate  class  stem  from  the 
"direct  access"  (or,  lack  of  a  "buffer  zone")  of  the  controls  to 
the  elements  being  controlled,  as  described  in  the  fault  tree 
discussions  in  Section  VIII. D.  Examples  of  failure  effects  in 
this  class  include  trip  circuitry  failures  that  cause  false 
trips,  and  pitch  control/ turbine  control  failures  that  cause 
uncommanded  speed  or  direction  changes. 

Defining  the  criticality  of  failure  effects  of  the 
immediate  class  in  qualitative  terms  is  straightforward.  If  the 
failure  occurs,  its  effect  will  occur,  so  criticality  is  a 
function  of  the  failure  effect  described  in  the  FMEA.  These 
failure  effects  range  from  trivial  to  serious,  and  the  serious 
ones  appear  in  the  fault  trees  as  direct  causes  or  contributing 
factors  to  top  level  fault  tree  events. 

For  serious  failures  of  the  immediate  class,  it  is 
impossible  to  implement  alarms  that  would  provide  the  crew  with 
an  advanced  warning.  However,  alarms/indications  should  be 
provided  to  enable  the  crew  to  restore  normal  operations  as 
quickly  as  possible.  Minimizing  these  failure  effects  requires 
reducing  the  likelihood  that  the  failure  occurs. 

Failure  effects  in  the  "failure  effect  pending”  class 
involve  processes  which  continue  somewhat  normally  for  some 
finite  time  period  after  the  failure  has  occurred.  This  grace 
period  is  exhibited  in  two  situations.  The  primary  one  is  due 
to  what  can  be  thought  of  as  a  pipeline  process.  An  example 
would  be  a  failure  which  shuts  down  the  feedwater  supply  to  a 
boiler.  Following  the  shutdown,  some  feedwater  would  remain  in 
the  "pipeline"  (e.g.,  in  the  piping  and  boiler  drum)  so  that  the 
consequences  of  the  failure  would  not  occur  immediately. 

Another  example  would  involve  a  failure  that  caused  loss  of  fuel 
oil  heating.  In  this  case,  the  failure  would  cause  the  fuel  oil 
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to  become  too  viscuous  to  flow,  but  some  properly  heated  fuel 
oil  would  continue  to  flow  for  a  few  minutes  before  this 
occurred. 

Since  pipeline  processes  are  associated  with  a  number  of 
steam  plant  control  functions,  quite  a  few  failure  effect 
pending  type  failures  associated  with  it  were  identified  for 
both  steam  vessels.  None  were  identified  for  the  diesel  vessel. 

The  other  situation  where  failures  of  the  failure  effect 
pending  class  can  occur  is  associated  with  provisions  for  safety 
shutdowns  to  preclude  machinery  damage.  This  situation  requires 
a  failure  that  causes  loss  of  such  shutdown  capability  and  also 
that  a  shutdown  condition  exist  (e.g.,  low  lube  oil  pressure  to 
a  turbine  or  diesel  engine,  turbine  vibration,  high  diesel 
jacket  water  temperature).  In  these  cases,  there  is  some 
possibility  that  in  the  absence  of  an  automatic  safety  shutdown, 
the  crew  might  become  aware  of  the  situation  and  initiate  a 
manual  shutdown  before  serious  damage  had  occurred.  This  is  the 
only  type  failure  of  the  failure  effect  pending  class  identified 
for  the  diesel  vessel.  For  both  steam  vessels,  several  failures 
of  this  type  in  the  turbine  controls  were  identified. 

The  criticality  of  the  failure  effects  pending  type 
failures  involves  several  factors.  There  are,  of  course,  the 
ultimate  consequences  if  the  failure  "takes  effect."  Some  of 
these  ultimate  consequences  are  trivial;  some  are  serious.  Of 
equal  significance  with  the  ultimate  consequence  is  the  length 
of  time  of  the  grace  period. 

For  the  failure  effects  pending  type  failures  identified  on 
the  2  steam  vessels,  a  grace  period  of  about  3  minutes,  on 
average,  is  available.  This  figure  also  appears  reasonable  for 
the  few  failures  of  this  type  identified  for  the  diesel  vessel. 

A  period  of  3  minutes,  more  or  less,  is  not  sufficient  for 

troubleshooting  and  repair  (except  in  1  case - as  noted  below). 

It  would  be  sufficient  in  many  cases  to  go  to  a  manual  back-up 
mode  of  operation.  The  lengths  of  time  required  for 
transferring  to  back-up  modes  were  estimated  for  Ship  A  and 
found  also  to  be  applicable  to  Ship  B.  These  times,  which  are 
applicable  to.  a  two-man  watch,  and  which  could  vary  plus  or 
minus  somewhat,  are  as  follows: 


a)  1  minute  to  5  minutes  maximum  to  get  a  boiler 
back-up  under  manual  control  following  a  boiler 
shutdown  due  to  automation. 

b)  1  minute  to  5  minutes  maximum  to  go  onto  handpump 
operation  following  a  turbine  control  problem. 

c)  5  minutes  to  place  a  remotely  located  control  valve 
onto  manual  bypass  and  manual  control. 
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d)  3  to  5  minutes  to  restore  pump  operation  under 

manual  control  following  a  pump  shutdown  caused  by 
automation. 

Troubleshooting  and  repair  times  are  considerably  longer. 
Again,  these  were  estimated  for  Ship  A  and  found  generally 
applicable  to  Ship  B.  They  are  as  follows: 


a)  Printed  circuit  card  failure: 

1)  from  15  minutes  to  1  hour  if  troubleshooting 
documentation  available  and  card  tester  utilized. 

2 )  from  30  minutes  to  2  hours  if  card  tester 
utilized  but  troubleshooting  documentation  not 
available . 

3)  indeterminant  if  card  tester  not  available. 

b)  Remotely  located  sensors  and  valves:  from  5  to  30 
minutes  to  troubleshoot;  repair  time  indeterminant, 
on  the  order  of  a  half  hour  to  several  hours. 

c)  Relays: 

1 )  from  15  minutes  to  1  hour  if  troubleshooting 
documentation  available. 

2)  indeterminant  if  troubleshooting  documentation 
not  available;  in  worst  case  could  require  a  day 
or  more. 

d)  Set  Point  Controller  (used  on  Ship  A  only):  2 
minutes  to  change  out  the  controller;  no 
troubleshooting  required,  problem  obvious  by 
looking  at  controller.  (Note:  this  is  the  only 
case  found  where  repair  could  be  accomplished 
within  the  grace  period  of  the  pending  failure 
effect ) . 

For  the  crew  to  take  some  mitigating  action  to  a  failure 
effect  pending  type  failure,  it  must,  of  course,  be  alerted  and 
respond  to  the  situation.  While  a  watchstander  might  be  alerted 
to  an  abnormal  condition  by  visually  monitoring  gages  and 
indicators,  the  alerting  function  is  generally  performed  by  the 
alarm  system. 

During  this  study,  it  was  found  that  alarm  provisions  on 
all  3  vessels  appeared  to  be  based  on  abnormalities  due  to 
factors  outside  the  control  system.  That  is,  the  parameters 
that  were  alarmed  appeared  to  be  these  which  could  deviate 
beyond  acceptable  limits  due  to  problems  in  the  hardware  being 
controlled.  For  some  failure  effect  pending  type  failures,  the 
results  of  control  failures  are  the  same  as  those  of  non-control 
failures  (e.g.,  drum  level  low,  steam  temperature  high,  fuel 
pressure  low,  etc.). 
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In  other  cases,  control  system  failures  can  produce  ef¬ 
fects  not  normally  expedted  in  non-control  equipment.  For  in¬ 
stance,  a  forced  draft  t lower  fail  alarm  is  provided  on  Ship  A. 
In  the  non-control  portion  of  the  combustion  air  system,  loss  of 
air  is  indeed  more  likely  from  fan  failure  than  any  other  cause. 
In  the  control  system,  however,  there  is  little  likelihood  of  a 
failure  that  would  shutdown  a  blower,  but  there  are  several 
failures  that  would  cutback  or  shutoff  the  air  supply.  Such 
failures  would  cause  a  smoke  alarm  but  no  alarm  specifically 
indicating  a  combusiton  air  problem. 


B.  QUANTITATIVE  CRITICALITY  ANALYSIS 


Based  on  the  general  criticality  aspects  discussed  above, 
quantitative  analyses  were  conducted  to  identify  and  evaluate 
the  interactions,  relationships,  and  ramifications  that  can  im¬ 
pact  the  severity  of  a  failure.  This  "severity",  in  turn,  re¬ 
lates  to  the  end  effect  of  the  failure  on  the  vessel. 

Thus,  the  quantitative  criticality  analysis  focussed  on 
identifying  the  various  "scenario"  factors  that  determine  whe¬ 
ther  or  not  a  potentially  critical  failure  effect  will  indeed 
have  critical  consequences. 

Where  these  factors  and  their  various  ramifications  could 
be  quantified,  they  were  included  in  the  quantitative  analysis. 
Other  factors  and  their  various  ramifications  are  difficult,  and 
in  many  cases,  impossible  to  quantify,  and  they  were  not  quan¬ 
titatively  evaluated. 


B. (1 )  Factors  Impacting  Criticality 

Criticality  analyses  related  to  automated  propulsion  sys¬ 
tems  are  unusually  complicated  because  of  the  large  human  factor 
interface.  In  addition  to  the  human  factors,  there  are  many 
other  factors  that  can  effect  the  criticality  of  each  failure. 
Listed  below  are  some  that  were  considered  during  the  critical¬ 
ity  analysis.  It  is  emphasized  that  this  entire  criticality 
analysis,  process  is  very  complicated,  and  could  become  a  never 
ending  chain  of  possibilities  if  all  factors  were  completely 
analyzed.  Therefore,  DOVAP  selected  the  primary  factors  for 
evaluation  since  these  will  generally  determine  the  most  likely 
end  effect. 


B. ( 1 ) (a)  Subsystem  Effect 

The  initial  criticality  consideration  involves  which  sub¬ 
system  has  failed  or  degraded.  This  requires  that  the  subsystem 
be  evaluated  in  terms  of  its  function  and  relationship  to  other 


subsystems. 


B.(l)(b)  Component  Effect 

Component  failures  within  the  subsystem  have  to  be  evalua¬ 
ted  to  determine  the  effect  on  subsystem  criticality.  An  impor¬ 
tant  part  of  this  evaluation  is  whether  the  component  is  an  in¬ 
put  or  output  device.  If  the  component  is  an  input  device  such 
as  a  sensor,  usually  not  only  the  function  fails,  but  alarms  and 
instruments  also  fail.  If  the  component  is  an  output  device, 
then  using  the  manual  backup  mode  of  operation  may  not  mitigate 
the  effect  of  the  failure.  Also,  some  component  failures  have 
relatively  little  effect  on  the  subsystem  performance.  An  exam¬ 
ple  would  be  failure  of  a  remote  manual  function  which  would 
only  be  activated  in  event  of  failure  of  the  primary  system. 


8.(1} (c)  Component  Failure  Mode 

A  failure  mode  has  a  direct  bearing  on  the  criticality  of 
the  failure.  Same  failure  modes  are  passive  and  have  little 
effect  on  the  subsystem  performance.  The  so-called  "hardover" 
failure  modes  are  the  most  catastrophic  to  the  system,  but  are 
often  the  easiest  to  detect  and  isolate.  Intermittent  failures 
or  marginal  failures  which  create  erratic  control  situations 
may,  in  fact,  cause  more  problems  than  "hardover"  failures. 


B.(l)(d)  Failure  Rates 

The  expected  failure  frequencies  effect  criticality.  Also, 
the  expected  failure  frequencies  for  many  components  can  vary 
during  the  vessel's  operational  life,  and  this  variation  must 
also  be  considered.  Initially  failure  frequencies  will  be  high 
due  to  infant  mortality  since  this  type  of  failure  is  related  to 
the  manufacturing  process  or  installation  errors.  This  period 
can  last  anywhere  from  six  months  to  three  years,  depending  on 
the  types  of  components  and  the  operational  environment.  At 
some  point  in  the  operational  life,  wear-out  begins,  and  this 
again  is  dependent  on  the  type  of  component  and  will  vary  with 
different  components.  For  electronic  equipment,  the  wear-out 
period  has  never  been  established  and  probably  is  past  the  op¬ 
erational  life  of  the  equipment.  For  field  equipment,  the  op¬ 
erational  life  is  probably  quite  short,  and  there  are  some  in¬ 
dications  that  wear-out  starts  within  two  or  three  years  of  the 
initial  operation  of  the  vessel. 

Failure  rates  are  also  affected  by  the  amount  of  functional 
testing  and  maintenance,  including  preventative  maintenance  and 
inspection  of  the  equipment.  The  maintenance  philosophy  can 
bring  up  a  whole  new  series  of  complex  evaluations.  The  ex¬ 
tremes  of  these  philosophies  can  be  to  perform  no  preventative 
maintenance  or  inspections,  and  only  perform  maintenance  as  the 


equipment  fails.  The  converse  would  be  a  detailed  maintenance 
plan  with  functional  testing  and  checks,  scheduled  inspections 
of  the  equipment,  and  comprehensive  preventative  maintenance. 

In  the  majority  of  the  cases,  the  schedule  of  maintenance  for 
commercial  vessels  is  not  pre-planned  and  is  carried  out  as  di¬ 
rected  by  the  chief  engineer. 

Failure  rates  also  have  a  direct  bearing  on  the  probability 
of  backup  equipment  being  available  when  needed.  If  back-up 
equipment  is  not  periodically  checked  and  maintained,  there  is 
no  assurance  that  it  will  work  when  required. 

Contingency  plans  for  failure  conditions  also  impact  cri¬ 
ticality  and  must  be  based  on  expected  failure  rates.  Manpower, 
test  equipment,  and  spares  can,  depending  on  their  availability, 
reduce  or  lengthen  the  times  an  equipment  is  out  of  service  due 
to  failure. 


B. (1 ) (e)  Operational  Mode 

The  vessel's  mode  of  operation  when  a  failure  occurs  is 
very  important  to  the  criticality  analysis.  Many  failures  would 
be  highly  critical  during  maneuvering  whereas  they  would  have 
little  or  no  effect  during  normal  cruising.  The  three  phases 
considered  during  the  criticality  analysis  were:  normal 
cruising,  maneuvering,  and  light-off. 

Normal  Cruising 

During  normal  cruising,  most  temporary  failure  conditions 
are  not  hazardous  to  the  operation  of  the  vessel.  There  are 
exceptions  to  all  cases  of  course,  and  if  the  vessel  is  in  close 
quarters  to  other  vessels  or  navigation  hazards,  temporary  loss 
of  RPM  or  direction  control  would  be  critical.  However,  this 
will  not  be  the  case  during  the  majority  of  the  normal  cruising 
time,  so  these  factors  were  not  considered  in  the  criticality 
analysis. 

Maneuvering 

Maneuvering  is  the  most  critical  time  period  considered  in 
the  criticality  analysis.  Again,  in  the  maneuvering  mode,  there 
are  many  situations  where  loss  of  RPM  or  directional  control  are 
not  critical.  However,  a  fairly  large  percentage  of  the  time 
the  vessel  will  be  in  close  quarters,  and  the  temporary  loss  of 
directional  or  RPM  control,  or  loss  of  sufficient  power  for  ex¬ 
treme  maneuvers  would  be  critical  to  the  vessel. 

Light-Off 

Again,  the  criticality  of  a  failure  during  the  light-off 
phase  is  determined  by  the  situation  at  the  time.  In  the  criti¬ 
cality  analysis,  it  was  assumed  that  the  majority  of  the 


IX-6 


light-offs  occur  when  the  throttle  is  at  stop.  In  some  cases, 
there  would  be  a  re-light  after  maintenance  or  a  boiler  trip. 
These  occasions,  however,  are  relatively  infrequent  and  probably 
occur  primarily  during  normal  cruising.  Therefore,  a  problem 
which  causes  delays  in  light-off  would  usually  interfere  only 
with  scheduled  departure. 


B.  (1)  <f )  Watch  Size 

The  number  of  watchstanders  and  their  background  and  ex¬ 
perience  are  critical  in  terms  of  how  quickly  normal  operation 
is  restored  after  a  failure.  Besides  the  number  of  watchstand¬ 
ers,  the  availability  of  the  chief  engineer  and  any  other  crew 
members  .needed  to  respond  to  failure  situations  is  also  a  fac¬ 
tor.  In  the  criticality  analysis,  it  was  assumed  that  a  two-man 
watch  is  maintained  at  all  times  and  that  one  of  the  two  is  a 
licensed  engineer.  The  chief  engineer  is  normally  in  the  con¬ 
trol  room  during  maneuvering,  and  would  also  respond  to  all  a- 
larms  and  trips.  It  is  estimated  that  on  the  average,  he  would 
be  in  the  control  room  within  two  minutes  of  any  alarm  or  trip. 
After  observing  the  operational  conditions  of  selected  vessels, 
it  was  concluded  that,  in  other  than  totally  unmanned  situa¬ 
tions,  the  number  of  watch  personnel  during  normal  cruising  is 
not  a  criticality- related  factor.  This  is  based  on  the  close 
proximity  of  the  crew’s  quarters  to  the  control  room,  and  on  the 
generally,  high  reliability  of  the  alarm  system.  As  mentioned 
above,  criticality  changes  during  maneuvering  and  it  is  assumed 
also  that  the  watch  size  changes  and  includes  the  chief  engi¬ 
neer. 


B.(l)(g)  Alarms  and  Trips 

The  reliability  and  coverage  of  alarms  and  trips  are  a  very 
important  criticality  aspect.  For  the  automated  systems  evalu¬ 
ated  during  this  study,  many  failure  conditions  will  activate 
more  than  one  alarm.  As  an  example,  if  a  failure  caused  low 
combustion  air,  the  poor  air  to  fuel  ratio  would  create  a  smoke 
condition  and  e  smoke  alarm  would  occur.  If  the  condition  con¬ 
tinued  to  degrade  until  the  flame  was  lost  in  one  burner,  a 
burner  management  alarm  would  occur.  If  this  shuts  down  the 
boiler,  a  boiler  trip  alarm  would  then  occur.  If  the  boiler 
trip  produced  a  low  steam  pressure  condition,  a  turbine  propor¬ 
tional  control  malfunction  alarm  would  be  activated  and  the 
turbine  would  reduce  power.  Finally,  if  the  low  steam  condition 
continued,  a  turbine  trip  and  alarm  would  occur. 

In  addition  to  the  alarms  and  trips,  the  systems  evaluated 
have  gauges,  read-outs,  and  lights  indicating  parameter  values 
and  system  status.  Last  but  not  least,  the  human  interface 
factor  is  very  important  with  respect  to  boiler  and  turbine 
conditions  and  to  the  implications  of  alarms  and  trips.  Ever 
since  steam  systems  have  been  used  for  vessel  propulsion,  the 


human  senses  have  played  an  important  role  in  the  saSe  operation 
of  the  systems.  The  human  senses,  as  well  as  knowledge  of  the 
system,  still  impact  safe  system  operation.  That  is,  the  end 
determination  as  to  whether  a  valid  alarm  condition  exists  de¬ 
pends  on  the  crew  member's  appraisal  of  the  situation. 


B.(l)(h)  Crew  Corrective  Action 

Once  it  has  been  determined  that  a  valid  alarm  exists,  the 
capability  of  the  crew  to  respond  and  to  take  the  proper  cor¬ 
rective  action  is  a  function  of  their  training  and  experience. 


Immediate  Response 

In  the  criticality  analysis,  it  was  assumed  that  the  imme¬ 
diate  crew  response  would  be  to  restore  normal  operation  as  soon 
as  possible.  This  would  be  accomplished  through  the  quickest 
means  available  to  alleviate  or  by-pass  the  problem.  This  could 
be  through  use  of  backup  equipment,  use  of  remote/manual  capa¬ 
bility,  or  through  full  manual  operation.  Another  aspect  of  the 
immediate  response  that  must  be  taken  into  consideration  con¬ 
cerns  possible  equipment  damage.  For  instance,  if  a  high  or  low 
water  condition  exists,  the  corrective  action  must  be  immediate 
and  correct  to  avoid  damage  to  the  boiler  or  turbine.  In  many 
cases  during  normal  cruising,  the  immediate  action  will  be  to 
prevent  equipment  damage.  On  the  other  hand,  during  maneuvering 
or  close  quarter  operations,  the  immediate  action  may  be  to 
maintain  sufficient  power  or  RPM's  to  avoid  a  possible  colli¬ 
sion.  Therefore,  the  training  of  the  crew  members  in  response 
to  certain  conditions  is  a  very  important  part  of  the  critical¬ 
ity  analysis. 

Troubleshooting  and  Repair 

Troubleshooting  and  repair  is  usually  conducted  after  the 
immediate  action  has  been  taken  and  secured.  Troubleshooting 
and  repair  may  be  conducted  immediately  after  the  failure  occurs 
or  possibly  the  secondary  mode  of  operation  would  be  continued 
until  the  end  of  the  cruise  and  troubleshooting  and/or  repair 
conducted  when  the  vessel  reached  port.  However,  the  most  de¬ 
sirable  approach  is  to  restore  the  system  to  full  automated  ca¬ 
pabilities  as  soon  as  possible.  Therefore,  the  crew  members 
should  be  capable  of  troubleshooting  and  repairing  the  system. 


B.(l)(i)  Back-Up  Capability 

During  the  criticality  evaluation,  the  back-up  modes  of 
operation  were  considered. 
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A  major  consideration  associated  with  the  automatic 
switching  of  back-up  equipment  is  the  reliability  of  the 
switching  equipment  itself.  A  large  amount  of  the  back-up 
equipment  on  the  vessels  evaluated  during  this  study  is  either 
in  stand-by  or  is  operationally  parallel.  Most  backup  pumps  and 
generators  are  kept  on  stand-by.  That  is,  they  are  not  in  op¬ 
eration  until  the  other  pump  or  generator  is  taken  off  line  or 
fails,  at  which  point  they  are  automatically  switched  in  to 
service.  In  the  case  of  the  boilers,  both  boilers  are  opera¬ 
tional  during  normal  cruising,  and  way  can  be  maintained  with 
one  boiler  at  reduced  RPM's. 

B.(l)(iMA)  Remote  Manual  Operation  of  Automated  Controls 

The  remote  manual  mode  of  operation  is  the  first  back-up 
selected  in  case  of  failure  of  the  primary  automated  controls. 
This  operational  mode  can  be  used  if  there  is  a  failure  in  ei¬ 
ther  the  input  or  control  logic  of  the  control  system. 

B . ( 1 ) ( i ) (B)  Manual 

Boiler  front  manual  control  presents  several  drawbacks. 
Automatic  alarm/trip  provisions  are  disabled  in  this  mode,  and 
the  operator  must  be  responsible  for  monitoring  all  vital  para¬ 
meters.  However,  this  type  of  operation  has  been  satisfactory 
for  many  decades  and  if  the  crew  member  is  properly  trained, 
should  provide  satisfactory  back-up. 


B. (1 )  ( j )  Troubleshooting  Equipment 

A  factor  in  the  criticality  analysis  and  related  to  the 
crew  members'  capability  and  training  concerns  the  type  of 
troubleshooting  equipment  available.  This  is  divided  into  two 
major  categories:  (a)  built-in  test  and  (b)  individual  pieces 
of  test  equipment. 

B.llHjHA)  Built-In  Test 

Some  automated  control  systems  have  fairly  extensive 
built-in  tests  (BIT).  Vessel  B  has  a  circuit  analyzer  for  the 
analog  section  of  the  controls.  This  makes  it  fairly  easy  to 
diagnose  problems  to  the  circuit  card  level  and  then  remove  and 
replace  the  card.  However,  there  is  no  circuit  analyzer  for  the 
digital  portion  of  the  system,  and'  troubleshooting  would  be  very 
tedious,  if  not  impossible  for  the  average  crew  member.  Vessels 
A  and  C  have  printed  circuit  cards  with  light  emitting  diode 
fault  indicators.  These  do  not  indicate  all  possible  faults 
however . 

8.  (lHjHB)  Test  Equipment 

Most  control  system  manufacturers  provide  circuit  card 
testers  as  optional  equipment.  These  are  very  important  and 


should  be  part  of  the  standard  inventory  of  test  equipment  on 
all  vessels  with  automated  electronic  systems.  Card  testers 
should  be  used  to  verify  that  the  card  removed  from  the  system 
has  indeed  failed  and  that  the  replacement  cards  are  operational 
before  being  installed  in  the  system. 


B. (1) (k)  Spares 

The  availability  of  spares  is  also  a  factor  in  the  criti¬ 
cality  analysis.  If  equipment  is  to  be  restored  to  normal  op¬ 
eration,  adequate  spares  must  be  provided.  The  types  of  spares 
carried  are  a  function  of  crew  capability  and  the  type  of 
troubleshooting  equipment  available.  On  most  vessels,  indivi¬ 
dual  piece  parts  are  not  replaced  on  failed  cards.  However,  if 
a  crew  member  is  available  with  adequate  training,  and  if  ade¬ 
quate  test  equipment  is  available,  the  cards  could  be  repaired 
on  board. 


B.(1M1)  Technical  Documentation 

The  adequacy  of  technical  documentation  is  interrelated 
with  test  equipment  and  crew  capability  in  terms  of  the  ability 
to  restore  the  equipment  to  normal  operation.  In  evaluating  the 
troubleshooting  documentation  for  the  electronic  controls  on  the 
three  vessels  considered  in  this  study,  it  was  concluded  that 
sufficient  details  were  not  provided  for  the  normal  crew  member 
to  isolate  problems  to  the  failed  component.  This  is  especially 
true  for  the  digital  portion  of  the  control  systems. 


C.  QUANTITATIVE  CRITICALITY  ANALYSIS  PROCEDURE 


As  pointed  out,  all  of  the  factors  above  have  some  bearing 
on  the  criticality.  In  order  to  evaluate  these  factors,  the 
following  procedures  were  applied. 


C. ( 1 )  Grouping  of  Failure  Modes 

Failure  nodes  from  the  FMEA's  were  grouped  whenever  possi¬ 
ble  so  that  a  common  criticality  analysis  could  be  performed  on 
the  group.  Each  group  of  failure  nodes  was  given  a  reference 
number,  which  is  called  a  criticality  number.  Each  criticality 
reference  number  is  given  in  the  right-hand  column  of  the  indi¬ 
vidual  FMEA  sheets  and  is  summarized  on  the  FMEA  summary  sheets. 


C.(2)  Criticality  Analysis  Summary  Sheets 

For  each  group  of  failure  modes,  a  criticality  analysis 
summary  sheet  was  developed.  These  suomaries  are  presented  in 
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Appendix  F.  Figure  IX-1  is  a  typical  cricicality  analysis  sheet 
and  the  following  is  an  explanation  of  the  analysis. 

C-(2)(a)  Note  Number 

This  is  the  number  that  appears  in  the  right-hand  column  of 
the  FMEA  sheets  and  is  the  reference  note  number  in  the  summary 
sheets.  This  is  also  the  number  corresponding  to  the  lowest 
level  component  faults  in  the  fault  trees. 

C.{2Hb)  Failure  Effect 

The  failure  effect  is  the  description  of  the  group  of 
failure  modes  which  have  been  accumulated  under  one  criticality 
evaluation  number. 

C.(2Mc)  System  Effect 

This  is  the  most  likely  effect  of  the  failure  on  the  pro¬ 
pulsion  system  or  turbine  system.  In  some  cases,  there  are  one 
or  more  effects  and  the  effects  are  given  with  the  most  likely 
being  the  first. 

C(2)(d)  Symptom  or  How  Detected 

This  gives  the  most  likely  way  that  the  problem  can  be  de¬ 
tected,  and  could  be  an  alarm,  or  trip,  or  other  indications. 

In  many  cases,  there  are  multiple  ways  in  which  the  problem  can 
be  detected.  In  some  cases,  there  are  no  detection  means  except 
that  the  vessel  responds  incorrectly. 

C(2)(e)  Most  Likely  Action  and  System  Status 

This  part  of  the  criticality  analysis  is  the  most  subjec¬ 
tive  because  of  the  factors  listed  above,  and  the  many  assump¬ 
tions.  To  reiterate  some  of  the  assumptions  previously  given: 

a)  It  is  assumed  that  the  number  of  watchstanders 
during  normal  cruising  does  not  appreciatively 
affect  the  actions  taken. 

b)  The  chief  engineer  is  in  the  control  room  during 
maneuvering  and  light-off. 

c)  The  chief  engineer  can  normally  reach  the  control 
room  within  two  minutes. 

d)  In  most  cases,  the  watchstander  has  sufficient 
time  to  cross  check  indicators,  lights,  and 
ether  symptom':,  and  then  takes  the  proper  action. 


IX- 11 


SHIP  fl  NOTE  #24 


PAILORE  EFFECT:  Deaerator  high  level - 


SYSTEM  EFFECT:  No  effect. 


SYMPTOM  OR  HOW  DETECTED:  Vital  alarm  in  engine  room 
control  console.  Level  transmitter  sec  at  81"  (high). 
Relief  valve  opens. 


MOST  LIKELY  ACTION  AND  SYSTEM  STATUS 

-IMMEDIATE:  Verify  alarm  and  check  indicators  in  control 
console.  If  cannot  clear  alarm  activate  remote  manual  or 
manual  control. 

-SECONDARY  ACTION:  Troubleshoot  system  using  analog  test 
station.  If  problem  in  the  field,  isolate  to  component 
using  meters  and  visual  inspection.  Replace  defective 
component  and  return  to  automatic  control. 


CRITICALITY  EVALUATION : 

System  Effects: 

(a)  Normal  Steaming:  2  -  No  effect. 

(b)  Maneuvering:  32  -  No  effect. 

(c)  Light-Off:  61  -  Not  applicable  during  this  phase. 
Mission  Effects: 

(a)  Normal  Steaming:  2  -  No  effect. 

(b)  Maneuvering:  2  -  No  effect. 

<c)  Light-Off:  21  Not  applicable  during  light-off. 


FAILURE  RATE: 

-Transducers  *  6.63 

-Valves  *  43.14 

-Electronics  *  9.8S30 

Total  «  65.6630 


FIGURE  IX-1 

Typical  Criticality  Sheet 


/ 
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C.(2)(f)  Most  Likely  Action  for  Alarm  Situation 

The  raopt  likely  action  for  an  alarm  situation  would  be  to 
alleviate  the  condition  that  caused  the  alarm.  In  most  cases, 
the  watchs tender  would  switch  the  control  mode  to  remote  manual 
anci  try  to  restore  operation  within  acceptable  limits.  If  this 
can  be  done,  operation  would  probably  be  continued  in  this  mode 
until  there  was  sufficient  time  to  troubleshoot  and  correct  the 
problem.  If  the  remote  manual  mode  did  not  effectively  alle¬ 
viate  the  situation,  the  next  action  would  be  to  go  directly  to 
the  field  and  manually  operate  the  subsystem.  Again,  when  time 
permitted,  troubleshooting  and  repair  could  be  performed  to  re¬ 
store  normal  automatic  control. 

C. (2) (g)  Boiler  Trip 

For  a  boiler  trip  situation,  the  immediate  action  would  be 
to  determine  the  cause  of  the  trip  and  then  alleviate  any  con¬ 
ditions  that  would  cause  boiler  or  turbine  damage.  Again,  in 
most  cases  the  watchstander  would  switch  to  remote  manual,  and 
if  this  did  not  rectify  the  situation,  go  to  the  field  to  cor¬ 
rect  the  problem.  Once  the  cause  for  the  boiler  trip  had  been 
determined  and  a  back-up  system  was  functioning  satisfactorily, 
the  boiler  could  be  re-lit  if  it  was  safe  to  do  so.  Trouble¬ 
shooting  and  restoration  to  normal  automatic  operation  could 
then  be  carried  out  when  time  permitted. 

C.(2)(h)  Turbine  Trip 

In  the  case  of  a  turbine  trip,  the  watchstander  would  im¬ 
mediately  go  to  the  handpurap  mode  of  operation.  For  critical 
situations,  many  trips  can  be  overridden,  again  depending  on  c.he 
situation  at  the  time,  but  the  most  likely  action  is  to  resort 
to  the  handpump.  Again,  troubleshooting  and  restoration  of  the 
system  to  normal  automatic  operation  could  be  carried  out  when 
time  permitted. 

C.(3)  Systems  Effects  Summary 

For  each  phase  (i.e. ,  light-off,  maneuvering,  and  cruis¬ 
ing),  a  list  of  systems  effects  was  generated.  There  are  18  of 
these,  as  follows: 


1  -  Not  applicable  to  this  phase:  This  indicates  the 

failures  in  the  group  are  not  applicable  to  the 
particular  phase  under  consideration.  (For 
instance,  failures  grouped  together  aa  causing 
low  steam  pressure  are  not  applicable  to  the 
light-off  phase. ) 

2  -  No  effect:  This  indicates  that  the  failures  in 

the  group  do  not  have  any  effect  on  the  system. 
(For  example,  failures  of  instruments  not  used 
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functionally  in  the  system. ) 


3  -  Alarm,  activate  remote  manual:  The  failures  in 

this  group  activate  an  alarm,  and  the  most  likely 
action  would  be  to  switch  to  remote  manual  means 
of  operation. 

4  -  Boiler  trip,  troubleshoot  and  restart  boiler: 

The  boiler  cannot  be  restarted  until  the  problem 
causing  the  trip  is  resolved.  Therefore, 
troubleshooting  would  be  required  to  determine  and 
correct  the  reason  for  trip,  then  the  boiler  would 
have  to  be  restarted. 

5  -  Auto  back-up,  back-up  takes  over  function:  This 

is  the  case,  such  as  with  the  lube  pump,  where 
back-up  is  automatically  switched-in  to  t.ike  over 
the  function  if  the  primary  unit  fails. 

6  -  Explosive  condition,  actual  probability  of  explo¬ 

sion  depends  on  other  factors:  This  condition 
identifies  the  group  of  failures  that  could  be 
contributing  factors  to  an  explosion.  However, 
other  factors  are  usually  required  for  an  actual 
explosion  and  some  of  these  factors  are  not  a  part 
of  the  controls  system. 

7  -  Turbine  trip,  troubleshoot  and  restart  turbine: 

In  most  cases,  the  turbine  trips  are  to  protect 
the  turbine  from  damage.  Therefore,  the  condition 
must  be  resolved  before  the  turbine  is  restarted. 
However,  during  critical  maneuvering  situations, 
most  of  the  trips  can  be  overridden. 

8  -  Turbine  MPC  reduces  RPM,  troubleshoot  and  resume 

normal  RPM's:  The  reduced  RPM ' s  can  be  due  to 
boiler  problems  or  turbine  problems.  Because  the 
reduced  RPM's  are  instituted  to  prevent  turbine 
damage  and  other  system  complications,  the  reason 
for  the  RPM  reduction  must  be  isolated  and 
resolved  before  normal  RPM's  can  be  restored. 

9  -  False  boiler  trip,  troubleshoot  and  restart 

boiler:  The  false  boiler  trip  must  be  verified 

first  to  ascertain  that  there  is  not  a  bonafide 
problem;  the  boiler  can  then  be  restarted. 

10  -  Prise  turbine  trip,  troubleshoot  and  restart 

turbine:  Again,  on  a  false  turbine  trip  the 

cause  for  the  trip  must  be  verified  to  ascertain 
that  there  is  not  a  problem  before’  the  turbine  is 
restarted. 

11  -  No  alarm,  only  lights  or  indicators  show  problem 


IX- 14 


condition:  For  a  few  conditions,  there  are  no 
alarms  and  the  watchstander  must  observe  indica¬ 
tors  or  lights  to  detect  a  problem  condition. 

For  an  unmanned  system,  the  likelihood  of  such 
problems  should  be  carefully  evaluated.  In  th- 
summary  section  of  this  report,  these  will  be 
further  commented  upon. 

Loss  of  back-up  or  alarm:  In  the  criticality 
analysis,  it  is  assumed  that  the  most  likely 
action  is  for  back-up  equipment  to  take  over  the 
function,  or  for  alarms  to  alert  the  crew  to 
activate  the  secondary  controls.  However,  some 
groups  of  failure  modes  result  in  the  loss  of 
these  back-up  capabilities. 

False  alarm:  False  alarms  are  a  constant  problem, 
especially  during  initial  operation  of  a  system 
and  are  time-consuming.  However,  they  have  no 
effect  on  mission  criticality. 

Loss  of  trip:  Loss  of  trip  functions  could  result 
in  major  equipment  damage.  In  most  cases,  the 
loss  must  also  be  accompanied  by  loss  of  the 
associated  alarm. 

Light-off  inhibited  or  aborted:  Many  failure 
conditions  in  the  burner  or  combustion  logic  will 
inhibit  the  automatic  burner  light-off  process. 
However,  the  burner  light-off  process  is  a 
convenience  and  manual  light-off  will  usually 
rectify  the  condition. 

Erratic  RPM's,  turbine  control  failure,  activate 
handpump:  Many  failure  conditions  in  the  throttle 

control  result  in  erratic  or  loss  of  control  over 
RPM's.  In  the  majority  of  the  cases,  the  handpump 
would  be  activated  and  remain  in  use  until  the 
problem  had  been  resolved. 

Erratic  directional  control,  turbine  control 
failure,  activate  handpump:  Many  of  the  failure 
groups  for  the  throttle  control  result  in  loss  of 
directional  control.  In  these  cases,  the  handpump 
would  be  activated  and  remain  in  use  until  the 
problem  has  been  isolated  and  corrected. 

Loss  of  protective  feature:  This  involves  the 
loss  of  protective  features  other  than  trips  and 
can  result  in  damage  to  the  equipment  it  is 
associated  with. 


C . (4  5  Mission  Criticality 

The  mission  criticality  for  the  three  phases  of  operation 
was  grouped  into  common  end  effects.  There  are  twelve  groups  for 
normal  steaming  and  maneuvering,  and  six  groups  for  light-off. 
For  each  type  of  end  effect,  a  criticality  factor  was  assigned. 
This  factor  ranges  from  0  to  1,  with  0  being  no  effect  and  1 
being  extreme  criticality  or  total  mission  loss.  The  mission 
criticality  factor  again  is  based  on  most  likely  situations,  and 
varies  with  the  mission  phases.  Temporary  performance 
degradation  during  normal  steaming  has  a  minor  effect  upon 
criticality,  whereas  during  maneuvering,  it  could  be  disastrous. 
During  light-off,  it  is  assumed  that  the  majority  of  light-offs 
occur  while  docked  and  delays  in  light-off  are  not  critical  to 
the  vessel  operation.  End  effect  groupings  for  normal  steaming 
and  maneuvering  are  as  follows: 

a)  Not  applicable  during  normal  steaming:  This  group 
of  failures  relate  to  other  phases,  for  instance, 
they  would  inhibit  light-off,  etc.,  and  would  not 
be  applicable  to  normal  steaming. 

Normal  Steaming:  p  *  0.0 
Maneuvering:  P  =  0.0 

b)  No  effect:  This  is  the  same  as  the  no  effect 
group  in  the  system  level  coding,  and  as  an 
example  again,  instrument  failures  would  have 
no  effect  on  the  vessel  end  effects. 

Normal  Steaming:  P  »  0.0 
Maneuvering:  P  *  0.0 

c)  Slight  performance  degradation:  This  group  covers 
failures  where  an  alarm  sounds  and  the  situa¬ 
tion  can  be  rectified  by  resorting  to  remote 
manual  operation.  In  the  remote  manual,  system 
response  will  not  be  as  instantaneous  as  in  the 
automatic  mode,  and  this  will  result  in  a  slight 
performance  degradation. 

Normal  Steaming:  P  »  0.1 
Maneuvering':  P  =  0.6 

d)  Temporarily  reduced  RPM:  Failures  in  this  group 
cause  a  ooiler  trip  or  reduced  RPM  due  to  action 
of  the  turbine  MPC  controls.  During  normal 
steaming,  reduced  RPM's  are  of  minor  criticality 
and  full  RPM  can  be  restored  in  a  relatively  short 
time.  During  maneuvering,  reduced  RPM's  could  be 
critical,  therefore,  criticality  is  signifi¬ 
cantly  higher  during  the  maneuvering  phase. 

Normal  Steaming:  P  =  0.4 

Maneuvering:  P  =  0.7 
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e)  Possible  turbine  damage:  Turbine  damage  can 
result  from  loss  of  turbine  protective  features. 
Damage  usually  is  not  instantaneous  but  rather 
the  result  of  many  cumulative  overstresses.  The 
possibility  is  difficult  to  evaluate 
quantitatively;  however,  if  it  should  occur, 
partial  or  total  loss  of  the  propulsion  system 
could  result. 

Normal  Steaming:  P  =  0.5 
Maneuvering:  P  *  0.5 

f)  Possible  boiler  damage:  Boiler  damage  can  result 
from  control  failures  or  a  combination  of  control 
and  external  failures.  Damage  can  also  result 
from  either  accumulated  effects  over  some  period 
or  instantaneously,  such  as  from  an  explosion. 
Again,  the  quantitative  probability  of  damage  is 
difficult  to  evaluate;  however,  if  damage  does 
occur,  the  possibility  of  total  loss  of  the 
boiler  is  very  high  and  therefore,  the  criticality 
value  must  reflect  this  possibility. 

Normal  Steaming:  P  *  0.5 
Maneuvering:  P  =  0.5 

g)  Large  performance  degradation:  Failure  modes  in 
this  group  necessitate  total  manual  operations. 

This  could  be  operation  of  a  control  valve  by  hand 
in  the  field,  complete  manual  operation  of  a 
boiler,  or  use  of  the  handwheels  for  turbine  con¬ 
trol.  This  results  in  slow  response  and 
inefficient  operations.  There  is  also  a  large 
chance  of  human  error  in  this  type  of  operation 
because  in  some  cases,  the  control  valves  are 
widely  separated  and  communications  could  be  a 
factor. 

Normal  Steaming:  P  =  0.6 
Maneuvering:  P  *  0.8 

h)  Temporarily  dead  in  water:  In  this  group  of 
failures,  the  turbine  will  trip  but  the  problem  can 
be  rectified  in  a  relatively  short  period  of  time. 
Again,  during  normal  steaming,  this  is  not  a  cri¬ 
tical  situation;  however,  in  maneuvering,  it  is 
very  serious. 

Normal  Steaming:  P  =  0.7 
Maneuvering:  P  =  0.9 

i)  Dead  in  water:  Failures  in  this  group  cause  loss 
of  propulsion,  and  the  situation  will  be  such  that 
corrective  actions  require  lengthy  time  periods. 
This  is  a  remote  possibility  and  is  a  worst  case 
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situation. 

Normal  Steaming:  P  =  0.9 
Maneuvering:  P  =  1.0 

j)  Temporary  loss  of  RPM  control:  This  group  covers 
turbine  control  malfunctions  requiring  use  of  the 
handpump  back-up  until  control  is  restored. 

Handpump  control  results  in  slow  RPM  response  for 
large  changes;  however,  for  normal  cruising,  this 
is  not  critical. 

Normal  Steaming:  p  =  0.6 
Maneuvering:  P  =  0.9 

k)  Temporary  loss  of  directional  control:  Failures  in 
this  group  cause  loss  of  directional  control, 
requiring  that  the  handpump  be  utilized.  This  is 
not  critical  during  normal  steaming;  however, 
slower  directional  response  during  maneuvering  is 
highly  critical. 

Normal  Steaming:  P  *  0.6 
Maneuvering:  P  =  0.9 

1}  Back-up  failure,  primary  and  back-up  must  both 
fail:  The  FMEA's  and  criticality  analysis  are 

based  on  single  failures;  multiple  failures  are 
considered  in  the  fault  tree  analysis.  However, 
in  order  to  allow  for  the  possibility  of  multiple 
failures,  they  must  be  covered  in  the  mission 
criticality  analysis. 

Normal  Steaming:  P  =  0.2 
Maneuvering:  P  =  0.4 


End  effect  mission  criticality  groupings  for  the  light-off 
phase  are  as  follows: 

21  -  Not  applicable  during  light-of^.:  Failures  in 

this  group  do  not  apply  to  the  lightoff  phase. 

P  =  0.0 

22  -  No  effect:  Failures  in  this  group  have  no  effect 

during  the  light-off  phase. 

P  =  0.0 

23  -  Slight  delay  in  light-off:  A  slight  delay  in 

light-off  can  occur  when  a  problem  must  be 
alleviated  by  going  to  remote  manual  before 
automatic  light-off  can  proceed. 

P  *  0.2 

24  -  Delay  in  light-off:  Delay  in  light-off  occurs 

when  extensive  troubleshooting  must  be  performed 
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before  light-off  can  commence,  or  when  light-off 
must  be  performed  manually  at  the  boiler  front. 

P  -  0.4 

25  -  Possible  boiler  damage:  Possible  boiler  damage 

can  occur  because  of  explosive  conditions  during 
light-off,  such  as  inadequate  or  loss  of  purge. 
Also,  possible  damage  can  occur  because  of  loss  of 
fire  during  light-off.  In  most  cases,  possi¬ 
ble  boiler  damage  is  a  multiple  failure  situation 
and  factors  outside  of  the  control  system 
influence  the  possibility. 

P  *  0.5 

26  -  Possible  turbine  damage:  Possible  turbine  damage 

can  occur  when  light-off  is  initiated  during 
normal  cruising. 

P  -  0.S 


C. (5)  Quantitative  Criticality  Computer  Analysis 

A  computer  analysis  was  performed  on  the  criticality  data 
developed  for  Ship  B.  Ship  B  was  selected  because  it  is  a 
typical  system  and  the  distribution  of  mission  effect  for  Ship  A 
would  be  similar  except  that  failure  occurrences  would  possibly 
be  more  frequent.  Ship  C  was  not  analyzed  because  the 
criticality  associated  with  diesel  systems  is  fairly 
straightforward.  The  computer  software  utilized  for  this 
evaluation  was  developed  by  Management  Sciences,  Inc.  and  is 
entitled  Systems  Evaluation  Analysis  (SEA).  The  SEA  output 
lists  system  effects  and  mission  effects  in  rank  order  according 
to  their  contribution  to  mission  criticality. 


C.(5)(a)  Input  Data 

Data  for  three  operational  phases  (normal  cruising, 
maneuvering,  and  light-off)  was  inputted.  The  time  used  for 
normal  cruising  was  710  hours,  for  maneuvering  20  hours,  and  for 
the  burner  management  logic  730  hours.  The  rationale  for  these 
times  is  that,  on  average,  a  typical  complete  round-trip  is 
approximately  one  month  or  730  hours.  Approximately  20  hours 
are  spent  maneuvering,  which  leaves  the  remaining  710  hours  for 
cruising.  The  third  phase,  light-off,  is  primarily  associated 
with  the  burner  management  logic  which  is  constantly  on,  and 
therefore  the  operating  hours  are  the  total  730  hours.  Four 
factors  were  entered  for  modifying  the  basic  failure  rates. 

These  are  (1)  temperature  factors  for  increasing  the  ambient 
temperature  from  35°  C.  to  50°  C.,  (2)  quality  factors  for 

changing  from  commercial  level  parts  to  military  grade  parts. 
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(3)  premature  failure  factors  for  converting  steady  state 
failure  rates  to  premature  failure  rates,  and  (4)  a  maintenance 
factor  which  reflects  the  reduction  in  failure  rates  that  can  be 
expected  through  a  detailed  inspection,  test,  and  preventative 
maintenance  plan. 

Tables  of  mission  effects  and  system  effects  for  the  three 
phases  were  entered  into  the  data  base.  The  software  is 
structured  to  evaluate  groups  of  equipment.  In  this  analysis, 
each  group  is  a  subsystem.  Each  group  is  subdivided  into 
functions  and  each  function  is  a  different  part  class.  Part 
classes  consist  of  electronic  parts,  transducers,  sensors, 
valves,  and  similar  breakdowns .  For  each  function,  the  basic 
failure  rate  is  given,  as  is  the  quantity  of  subsystems  per 
vessel,  and  the  four  factors.  The  failure  modes  for  each 
function  are  given  immediately  following  the  function.  Each 
failure  mode  contains  a  code  which  is  the  criticality  reference 
number.  Each  mode  also  has  the  applicable  system  failure  effect 
for  the  three  phases  and  the  percent  that  the  failure  mode 
contributes  to  the  function  failure  rate.  A  brief  narrative 
explanation  of  the  mode  is  also  given. 


C.(5Mb)  Computer  Output 

The  software  analyzes  one  phase  at  a  time.  For  each  mode 
which  was  inputted-,  the  probability  of  the  mode  occurring  is 
computed  for  the  selected  phase,  along  with  the  associated 
mission  criticality.  Also  given  for  each  mode  is  the  system 
effect.  These  modes  are  grouped  as  inputted,  that  is,  by 
subsystem  and  function. 

Following  the  mode  effects  are  the  system  effects 
criticality  summary  by  groups.  This  summary  compares  the 
various  system  effects  for  a  particular  subsystem  against  the 
total  for  the  entire  control  system.  The  probability  of  each 
system  effect  is  given,  as  is  the  percent  contribution  for  the 
subsystem  being  analyzed  and  for  the  total  system.  The  system 
criticality  is  also  computed  for  each  system  effect,  and  the 
percent  contribution  to  the  subsystem  is  calculated  along  with 
the  percent  for  the  total  system.  Following  the  group  analysis 
is  the  overall  system  effects  summary,  giving  all  system  effects 
ranked  by  contribution  to  the  overall  criticality. 

The  next  section  is  the  mission  effects  for  the  total 
system  again  ranked  by  contribution  to  the  total  system 
criticality.  Following  this  are  the  mission  effect  summaries, 
giving  the  contribution  of  each  mission  effect  by  subsystems. 

The  mission  and  system  summaries  are  presented  in  Figures  IX-2 
through  IX-6,  Examples  of  the  input  data  are  given  in  Figure 
IX-7 .  The  detailed  printouts  are  presented  in  Appendix  G. 
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FIGURE  IX-5 

Mission  Criticality  for  Light-Off 
(Burner  Management  always  on,  730  hours  per  cruise) 
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FIGURE  IX— 7 


Input  Data  for  Computer  Criticality  Analysis 

Ship  B 


»««*  <**  i  •*  i?.274«5 

•Eaotj 

orrt.tJ€  *»e*i  C°tT  a'Ul 
SET  not  Of 
SET  *PC  0* 

SET  XOTITE  t  a* 

SET  C».v  *4 
SET  T  31 

S£T  phase  Tl-ES  T10  20  730 
SET  COITICSUTT  Of; 

SET  IKTOMf  SFACTO" 

SET  I6H.I0E  OFaCTO* 

SET  tG*»0«E  SF 
SET  I6«*0»E  PF 
SE’  SELECT  f*aSE  * 

SfT  “f  E»1  **»0,0  MOT  4Pf»LlC4*t,E/u0»i4L  S7F Atif ti; 
SET  ~rv*i  F*o,o  HO  effect 

set  nrc*3  P«P.l  S*AU.  F£FFOih»a*<CC  DCG*AOATf«* 

SET  “FCtS  FA9.A  T E**Af(A j»t  *CSUCEn  *»"•$ 

SET  *FE*T  POSSIBLE  *L»/TU«P  04-aBf 

*Et  **FC«P  P*«.a  caOOE  Pe«FOPwa»»C£  OEGFApATjnri 
SET  HFC«10  P«0,7  T£'«PQ*t*T  0|« 

SET  <«rc>ti  p«o,f  m«> 

SET  "Ff*T<!  P»0,0  TE-POFaPT  »«JSS  of  PP*  CO^TOIJU 
SfT  «FC*li  P«0.»  T£hF  LOSS  OlFCcTI<T»iAL  CO*,T»ni 
SET  «*FE»t A  F »0,J  FaKU*E 

*Er  ’’FEFJt  F*oia  mot  AF»iiCASLE/«At,C,JvC«I*(; 

SfT  **rc«J2  F*o,0  Mfi  effect 

Set  **FE»3S  P«0,ft  S**U  »£*FO*YA»iCC  OERFaTATTO*) 
SC t  **FC*3S  P«0.T  TFMFOKAFT  FEOUCCO  *»Pi'3 
Set  <«rF»37  *■<>,$  POSSUILC  Bt*/TUF8  IJA-ARC 
SET  iFEaJq  F*.j.M  4.AHSC  FfPFHFlA4.CE  *Cr.*UOATTO', 
SfT  iFc»«a  tcifofaFt  m* 

SfT  -FC«AJ  FBJ.O  OTi 

SfT  MFC»«2  F«U.f  T|ifo»aBT  t05S  OF  »F-  eOfTPOL 
SfT  1FCF93  P«o,P  TE**F  LOSS  OIFCCTTfiAAl  cn«T»OL 

set  ifEMtt  poo, a  a*CA-'jF  failure 

S»T  AfOata  IFk.f  •#»  i*n  tf.K,  In  leif.Act 


FIGURE  IX- 7  (eont) 


if  «ff*??  '.n  r.frrr.y 

1£T  npr*? j  »«e,?  5Lis«t  tifLi'f  r,  cio-iT-opr 
SET  MFC*?*  Ppu.A  DEHV  I«*  LICHT«OfSf 
JET  mFE*2S  Pp3.5  POSSIBLE  POIlE-4  04**A«;E 
HT  SFE*!#  *Fk*t  **Of  APPLICABLE  to  TUTS 
ft£T  SEE*?,  **F£«?  »iO  EFFECT 

*Ct  $FE*S,  mF£«J  aLAP*VaCTIVaTE  *E“ftTE  manual 
Set  SFE*«,  MF£*$  K.X  TPI*/CO*»CCT/»£STA»T  81* 

set  sre*s,  *fe»?  a«ito  3kC‘-u*  t**e$  ovfp 
set  sfe**,  *fe*7  explosive  coi-pitto* 

•et  sfe*t,  «re*ift  tpip—ccppect/mestamt  »wr 

set  sre**,  «Ee*s  *pc  *et>»ees  »pH/co»«ecT/pt!iH4r 
set  sre*®,  -re«s  false  »cv  T»iF/cp«ReeT/*rsTAPV 
HT  sfe*i<j  tee*to  false  tu»*  tpp/co*8cct/**E!ita»t 

Set  SFE«tt#  kee*7  mo  *C4»k*n.0mly  LlSHT/tMPlPAf«« 

set  sfe*i2#  *fc*s  auto  eo**T»(H.  output  is  fp*atic 
set  SEE* t  }»  AFEpI#  LOSS  flt  8AC*.»P  08  AL*Pm 
SET  SFEaj  a,  MF£*2  FALSE  AL*P* 

SEt  SEE*!*#  -E C*7  LOSS  OF  TPlP 

»£'.  SEE*!  7#  «*Ef«»  LlOMt.OEE  1.4*181  T$  0»  APn*T£P 
SET  SFEalft#  “EE* I ?  E88ATIC  MP'.'S/USE  hAmOPUmP 
SET  SE£*t 9#  -FE*li  ERRATIC  OIR  COMTROL/ijSF  uO**P 
*£t  SE€*20,  ••££•»  LOSS  OF  PROTECTIVE  rElt*®* 

SET  SEE*5l,  *EC«Jl  MOT  APPLICABLE  TO  This  puasE 
set  see* J2,  mee*s2  mo  errecT 

SET  SE€*3S#  **Ft«33  *L*»“/*CTIV*TE  OEMOTe  “AMUAL 
S£T  SFE«5«#  *EE*15  ULP  TRIP/Cn»R£CT/RCStA»T  BL® 

SET  4F£*3S,  *F£«32  AUTO  BACtt»U»  TAKES  Oaf* 

SET  SEE«J*»  hEE*3T  EXPLOSIVE  CO«n|TTO»i 
SET  SEE«37,  *'EE»*0  TWO  T*lP».CO**f CT/*ESTa*T  TiiP» 
Set  3EE*3S#  *»EE*35  '•PC  PEACES  R»*/eo»8(rc  T/pCSO^E 
SET  SFE*3M#  *EE*35  EalSC  *L«  tM/C0»*ECT/PE*T4*T 
SET  $FE*«0#  M/C*«0  False  'upm  T«P/COaPCCT/«FSTA»T 
SET  SEEa«i#  mPE*37  MO  al**"— 0*LV  Lt6MT/t«OTCATO» 
SET  3F£aa2,  mEE*33  AUTO  COM TOOL  OUTPUT  IS  fpRAtU 
SET  SFEa«3,  «FC*«A  LOSS  0*  **CK.U*  08  AlaPm 
SET  JFCaaa,  ^£*32  FALSE  alaRh 
SET  SFE***»  **ECa37  LOSS  OF  T8j* 

SET  SFE»«t,  «FE*3!  LI6MT-0F*  IMhISITS  OP  abpRTEC* 
S£T  SFEaaa,  'PE* a?  £R«aTTC  UP***  S/USE  MA*l>PtjMP 
SET  SE£a««»,  **FC*«J  ERRATIC  DIP  COMTPOL/uSE  wOP«P 
set  SEE*50,  MFCa37  LOSS  0»  PROTECTIVE  FE4fO«€ 

SET  SEE**  1  #  HE£a2t  MOT  APPLICABLE  TO  TMfS  P«ASr 
SET  SEE**?,  **EE*2?  MO  EFFECT 

SET  SE£*fc3.  PEC*?*  4L AO** /ACTIVATE  PCPOTC  "A'-'JAL 
set  SF£**«,  PT£*23  OLR  TPIP/C088€C7/»CST*OT  SL® 

8£t  SFEafcS,  PEE*??  AUTO  *AC*»UP  TAPES  OvEa 

SE*  $rE**A,  “F£*2S  EXPLOSIVE  CONDITION 

Set  SFE**t ,  “FC«?3  TlW*  T*t*»*CO*PCCT/PcsT a*T  TUPn 

S£T  SFE*?2,  **F€a?3  AUTO  CO**TP(JL  OUTPUT  JS  E»»ATIC 

3£T  $FE*7 J,  **FE«2*  LOSS  OF  8AC*«UP  0"  ALA** 

set  $fe*7a,  pfe*?3  false  *lap* 

set  sfe*T6.  mf£«25  loss  of  tpjp 

*£T  *rc*77,  mfe*?3  lISMT-OFF  ImmIPTTA  r.B  *8«*TE» 

Set  sfe*tt,  *fe*?v  licwt«off  jM»»i ft i t s  of  aborted 

Set  SF£*S(3,  MFC*2S  loss  OF  P»OTeertVC  FfiTu*r 

$£  T  6»njp  1  MAME»S'HMC8  MAMASE’*EMTF-'AJTr» 

S£T  CPO>t»  2  MA**E»(*UPME8  POOHLE 

SET  CFtJuP  3  Nap£*CO"B JST  CNTL/PL®  O^D  LCC 

SET  OSOitP  «  L»aC*C0M8USTI0M  C3MTB0L 

Set  6*0'JP  5  M*“C»P«UP  LEVEL  COMTPf>L 

SET  r.PO'JP  *  M\'*E*FEEOWATEK  COvTSOL 

set  SROUP  7  **•*£«£*  BECPC  VALVE  C0MT»P.l 

SET  SMfSiFP  ft  «A=<C*S-iTS  5T*4  T£M9  E«TL 

Set  OPUiiP  *  ma**Efsteah  ou»»p  C0M?*nL 

iff  esiiii  in  »r«  a  r  a  at»*t/«th*  rui,  fwin  t 
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FIGURE  IX-7  (cont) 


S)f T  it  LEVEL  C«W« 

»CT  12  .,*«ca*ufL  nil  MftftE#  '■’€*• 

t£T  G»0'j*  13  «A**Ea7Q  *fC»C  CO*T«»<Vi 
S£T  C?1  1«  '•*•«» «t0  BtJH*  COHT»'n.« 

S£T  «»•»'!*  IS  tA^CeTTC 

Sj r  «»loc*  i  uot,* 

SET  2  **w£*fl*j*wcB  •^r»0**t.£ 

SET  Sj,'>C*  3  n***£*Cn*«*U^T  CHTL/*L*  «•♦!)  LfiC 

set  sl^c*  *  *ii*e*eo,t#usTt"»*  ctm***! 

»£T  SfTC*  5  H**£*ft«<J"  L£*SL  C0HT*t*L 
SET  SL^t*  *  H*s*EeFttD«*TE*  C*VwT»Ot. 

SET  **/»cv  7  tui^E***  *ee*C  VatvC  C^Tftnt 
set  %l°c*  *  v**e*$ht»  it«  te**  c*tl 

SET  stOCH  *  rf**E*STCA«  **U“*  CCmBOL 

SET  tt^Z*  10  f*i*£*F*t>  7*  STaBT/STP*  C'-T|_  “<v>ut.C 

SET  *t.OC*  It  *»*♦£*©£*£#*  TfHI  t^VEL  CO*<T»fn. 

SET  3L'»C*  *2  H*f*C«Eutt,  OIL  Tr** 

Scr  *loc«  »J  «4*MT*ra  »fc»c  cowthol 
set  <u.'7c«  t*  -«4-«f*L0  *i >tf  c«n*'»ols 
SET  SLOC*  ts  ,AH£bITC 
SET  J  3* 

SET  HI.OC*  1  0* 

set  r*.t*etiea  CLECT«ftNie/#“*  *ct  *st 

***T5  g?»*i  *74CTQC*1.32  ****,22  3*4CT(?*a3,25  t**a»*0 

S£T  «H)«E*t  C0f>€*t  sre»j,  Jt,TT  t»s,0*c  **ftnC»L*SS  3T  *y»»SE 
SET  *00£*2  COf*£*2  3***1, 31,77  **,*07  -*{*(>£*  I  **;>VC»TCI,T  *u*&E 
S£T  *0«C* i  C«0£*3  S7E*t,li,7T  *C*t  *L  TSMT-nr*  LOCK  FAlLUBE 

S£T  tnn£*<i  CODE**  **£*1,31.77  **.373  *Oft£*LO*5  5*  T»ra 
S£T  Hfjt»c«s  CO©€*S  S*£*l, 11,77  Ba.OO*  *Oi7E»XWADVE#TEnT  *i/*«E 
S£T  «nl>fh  C00£*0  S*£«1,S1,77  **,0*0  *OrMt*L«SS/IN»&£3tfATE  *CC»C 
set  *nne*?  cooe*t  m«t,3i»77  **,m  *ci>c*r*cs€  t*t* 

S£T  -OOE**  CODC*J«T  **£««, 3*»7?  M,i}(  »ft*£«FQTV  CLOSES  Q#  CAw’T  0*E«n 
SET  «0«£**  COO£*JJ7t  SE£«4,I«,77  **,12«  HO©?**©?*  CLOSES  O*  CfcH*T  «*ts 
set  «*nnc*to  cooe»izs  s*e*i,si,**  **,#iv  *«ft***OTv  e*c„  o*  ca"*t  close 
SET  mooe*v1  cont**2*i  s*£*i,3i,t*  **,017  '•©M******  o*r>  n«  cah*t  close 

set  -*0OE*t2  coi>E«i2S2  SEC«l.St,**  **,«I7  *«n»kC*rflTy  ©*£«,  o*  c*h*t  close 

S£T  •»‘"»ftE»l3  CU0E»131  SFE*U,4*«r*  *•,«**  **noe*LOSS  0*  SnTtE*  »*I* 

S£T  «*aOC*ia  COOE«|S2  3FE*1 ,31,0*  **,03*  MO&r*tOSS  Of  **JM£  TIhe* 
set  -«nnc*i5  C^OEtlS#  STC*I«31,S*  **,003  *n&r**U*eE  J**TITI *T£0/MO  IKkrt 
Set  *0PC*l*  C00E*lZ5  S*C*I,31,**  **.OtS  Mnoraoi*  elo*  To  *W»S£  level 

SET  «*pf»E*tT  C00£«t3fc  **.01*  *«n>F*Al*  *10*  To  *0*C£  L£V£l 

Set  -00£*t«  CnO£B|3*t  Sf£*S|3S,*1  **,00a  ‘•©*£■*0  ELO  LTO**  LvL/LO«  STh 

SET  «OOC*t*  C00E«l3T2  SeC*3,33,*1  **,P«i  “n*«C*ro  El.0  LTf>*E  LVL/*«0  EL**»r 

SET  ^on£*£i}  f.7PC*t«0  »TC*l»31,77  **,070  «0»r*ro  *fC»£  «>IT*I  EOTv  CLOSED 

SET  »un£*£t  COOE*1«1  SrC*l* 31,77  **,«8Z  *OOE*TO  »£C*C  IVH)|T  Sy***CSS£0 

SET  rif'JCTlOt  switches 

*4*TJ  E&ajS.aaOO  «TY*2  *r*CTO*»t.t«  «r*J.So  »r*CT»J***,*0  SE*6,00. 

SET  »00€*1  CHJf*!  ST£*t ,31,77  **,t*S  -OrE»L**S  0*  *U*S£ 

SET  -OOE'TZ  COO**«  S*C»t,3t,77  **,0*2  **Onf*L,'SS  0*  7*1* 

S£T  hoO£»J  CDOE**  S*E*i ,31,77  **,132  -©ftE*LBSS /IHAOEOuotE  *CC«C 
SET  w0nc**  Ct'OEstJt  SE£*t0,«0,T«  **,*71  Hno**LOSS  0*  *IOKE»  T*l* 

sc7  Ei>*»cTin«  wclats 

*A«TS  Erf*t,tStJ  0T»«2  **ACT'MJ«1,»*  *r*0,S!»  «rtCTO**fc,AO  SE*0.30 
SET  M0OC*t  COt>E*t  SEES*, 3!, 77  **,301  *OoE*LflSS  07  *t|*6E 
set  "niz»2  C0f,E*7  S*E*t,31,7T  **,011  "Or>E**,LSC  T»T* 

SET  -Of3£*J  C0-3£*|J|  #*£«»«*,**, T*  *•,!**  wOOT*LC3*  0!'  rLU£«  T*J* 

SET  4aOi*a  C«DE«laO  SEEal«3t,TT  **,?••  t*nPf*EO  *ECOi:  WITH  EOTv  CLOSED 
SET  r»i«CTlOU  VALVES 

*A*?S  ER*6S,5200  0TT*2  *E 4{ ton* J ,60  *r*«.*0  SEACTOB*! i ,60  lf»0.« 

Set  WOT'Cai  conca*  SFC»t,3t,TT  *  50u  «WiE*t.*»S/ru:>CUUATE  *U*6E 

SET  MQnt«2  C;in€»l27  ir£«a,J*,T7  5,239  woTEaVOTv  CLOSES  0*  C**'T  0*Ch 
SET  *COE«J  CO*>E*  12*  SECat,  31  ,*4  >>*,250  »00E«E-7Tv  o'E^  0*  LA*V*  T  CLOSE 
SET  4B0J*  2  O’l 
SET  5LCi>  2  0** 

SET  BUHCTJO',  *LECT#OV|C/*HB  *fj»JLE 

»ipm  r»**7.a?;s  oTvaa  »r*rtr»i»*i  1*  #**»  **  Wirint,!  «  «ran.*n 
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FIGURE  IX- 7  (cont) 


*E*  *<nO£«J  COPE*!  «T7  Pa,«?4  *n  r£s*«p  lTOF*  LOGIC  FulLS 

*€T  Cflr>f«2  3Fc»),ii,77  Ps.637  hoofstonitob  ratLURE 

i£*  «*0>5£«|  COO£*J  SF£st, 31*77  ®a.6A7  »OOE»F*LSf  TPTP 
S£T  **ijOE*'  '  SFfsl, 31,77  <*a,f>2v  *'Of'£«LrtSS  V  TRI* 

5£7  C0OF«5  $FE*l,Jt,77  »«,o «•  «Or,F*Fl  asp  INDICATOR  PR0RLEH 

S£T  C'7«»E  •  1 1 S  SFE*l»II,o6  «Or<Ca29  SEC  TInEo/t  I*<CS  long 

SE* -Ni>0£*?  3F£al«3l#6s  Ps,07o  t>n'’£*H‘iP  viv  S  srC  $hTon  f*jc 

S£T  HCO£«F  COO£»US  SFEsl.3l«4*  P«,05|  hOOEsRNH  VLV  20  RFC  %HTf»N  FAILS 
5E"  «r>r>£*9  C0T)£*116  SF£s«»3ai77  Ps,01n  CLOSES  OR  can’t  OPEN 

S£T  «m£stO  CODE* l 1 7  SFE«*,»52,6  6  Pa,0*A  h"of*TGNT TOR  NOT  <<1THOEHA<<H 

SET  *«<V>C*ll  CJ^Eat  10  3F£s1,31,T7  Pa, oil  •VIdfsAR  OPENS  OP  CAN'T  CLOSE 

5£T  M0OE*j2  COOEaj )P  $Fes»,S5,77  Fs.otft  HOfiFSRNtt  vt V  CLOSES/Cam'T  OP£n 
*£t  HfjO£*t3  C3DE»120  Srr«£,J2,*b  Pa, 0)0  HOoralGNtrOR  CXTEnOEO 

SET  «oOE»lR  L00Ea)2i  SF£sl, Jt,77  Pa, 0)0  HUOFSIGNTTOR  Can't  8E  EXTENDED 

SET  n*)D's  tS  COO£b)22  STf«5»SJ,T7  *s,lBR  HOftraFALSE  RHrnc®  TRIP 

SET  HODCaio  C0O£ai23  $F£at?It,bb  Pa,010  NOQra%NR  vlv  OPfNJ/CAH'T  CLOSE 

SET  «<J0E*)7  C>TDCb) j)U  SPES0,1A#77  Pa.oifl  HDQFSHNR  FAILS  TO  TRIP/AR  CLOSE 

SET  HOHESia  C'jftcS)2S  SF£alb,£b,7b  Pa,?7s  **onEsPNR  FAILS  To  TRP/nq  FL»hf 

S'T  Mt)l>E*)B  Ci>0£*)2fc  Sf£»t b,4b, 7b  P».#1T  ''•fibEsANR  FaIlS  TO  TRIP/BNB  i*L* 

SET  Fi«C tJUN  SWITCHES 

PARTS  FRS<)',.bbOb  <JTY*4  REACTORS! „ 1*  RFSO.Sft  SFACTORBb.bO  SFSO.44 

SET  «OOEs.  C00E»2  SE£si,3l*7?  P's.!*!  “OOPatONjTOR  FAILURE 

8£T  MOOCag  COOEatf  8PEs),3t*T7  Ps ,2b2  aOrtF,SLflR*  OF  TRIP 

SET  HOOEPI  CODES)  15  3F£a1,3t»*b  <*».07e  hODCsB.NR  vlv  2 0  sCC  SHTDn  FaI< 

S£T  HQO£s«t  COu£s))R  SFCs3»2J#t7  Ps,?#b  *n0E»DN*  viV  CLUSES/CAH'T  OT'J) 

SET  HOOCeS  CODE*  122  SFEal, 13,77  Ps.lA)  «0D£ tF AL S£  RnR  TRIP 

SET  "FIBERS  CQCES)2<  SFEsO»34,77  Ps.OTO  hODEsDNR  FaTLS  To  TRP/AR  CLOSE 

JET  hf-DEbt  C "IDEs  1 26  SF£s|b,4«t7b  *s.0?0  NDnPSBNP  FAILS  V«  SfRP/RNR  CL3 

SET  function  VALVES 

>A»TS  FHSJ2.7SOO  0T7S«  RFACTOOS) ,00  RFS«,«s  SFACToRst l.*0  SFSO.SS 
SET  RUOfR'i  CCDesilRi  SF£s3*33,?7  P*,SOO  hO|)p»s«ir  vlv  CL0SE5/Cah‘T  <JP£K 

SET  HOPES?  CODE ■ 5 231  SFEBl(31»SS  Ps,500  MOOFsBNR  vlv  OPEHS/C»h'T  CL< 3E 

SCY  FOVCTJOV  WLATS 

PARTS  FRsa.3160  OTVSA  BFACTORat.lB  RFaO.SP  SFACTORaS.SP  SFsO.SO 

S£T  NQp£a i  COoEaI  SF£ai, 31,77  »s,33«  *0ncB6HR  LTOff  LOGIC  FAILS 

SET  -uOEsz  COOEa?  $FEsi,3J,T7  Ps,I2I  POnfaicNITOR  FAILURE 

SET  HOPesJ  COOEaJ  SFEol,3»#TT  Pa, 211  sOotSLOSS  OF  TRIP 

SET  NoPCav  COCCaiZt  S'Eal  <31 ,77  Pa.SJa  «0PEair,MI7OR  Can«T  RE  EUTEfOEO 

set  function  tpawsfu»*ers 

Parts  Faao.oaos  OTVaa  RFACTPRa|v32  RFaO.22  SFACT0PaJ,25  SFsO.SP 
SET  HO&Ea  1  C0v>E»2  SFEa),*l,T7  Pal, 090  **fj<jEn<jNiTijjj  FAILURE 
SET  FUNCTION  ACTUATORS 

Part*  Fkb>*.«£09  utvba  RFACTORai,«o  RP*0 ,*0  SFACTOPS*,*))  SFsO.AS 
SET  njP£«j  COPEallfc  Sfe*a,3n,7T  *m.25o  “OPEaAR  CLOSES  OR  C*N'“  CPFS 

Set  <U0EC2  COOfoiiR  SFEcl # 31 , T7  Ps,25i»  nOOEsAR  OP£NS  PR  CAN'T  CLOSE 

SET  noofbs  CODE *120  SF£a2,22,»t  Ps,23o  NO"CaIGNiT0R  EXTENDEO 

SET  n0i)£*«  C0PC*i21  8PEat»3l,7T  Pa,25o  ■pnEalsNIToR  CaN'T  bE  CXTENOEo 
SrJT  CROUP  5  OM 
S£*  NLPCF  3  On 

J£f  function  electronic^conpust  cntc  plr  p*"  logic 

Parts  FRaal.OTJR  0TV#1  RF AC  tops  1 , i?  ftFSfl.P*  SFACTors3,25  SFs«,bO 
*£f  «J0£S)  CODE s5S  SFEbR.^R.RI  Ps,J2a  Hof>E=' Of  STh  PRES 
Set  -uriEsj  CTDC»5a;  SrrsS.SS.fct  *B,1*>  t*ODESN T  STh  PRES/STN  OU**p  *CT 

Sit  «nOt«i  C1:lE*5R2  SF£ab.3P,isi  Ps.lRi,  hi)Hp*mI  STh  PR£S/RUPTUR£  TU*E 

SET  »i)0{*u  C0uCsP3  JFEsi«,R0,7c  Ps.tRS  •ipPCaFALSE  AL*ph 

S£t  kiVTe*S  COPEaSa  S*Esij,aj,72  Ps,,jgn  "OPCbAlaRh  FAILS 

S»  TOOESo  CODE SR7  SF£s10j*0,AI  Ps.O^fc  hOPC*FaLSE  TURjJlNE  TRIP 

set  function  tr*»<si>ucers 

P*PTi  PRa7S,S2(!P  0TV*1  RF  ACTORS  l  ,30  RFSQ,*0  SFACTOPaP.SO  SFS&.AO 
set  '.r<r>£*t  LOP?N^S  J7CsR#JR.R;  PSjSOO  NftOF.,  OR  J,Tn  PRES 
SET  NCtOEcj  C0iT£n3S)  SFFa$,i3,4)  Ps,25<t  haP£«h  :  ,';T<*  PRCS/ET-  P,,!<P  ACT 

S£T  CODfs$AE  SFCsSt  is<«1  *s, 25o  ♦•opfshi  :|Tm  PRE»/Rf|PTU*E  TUBE 

SET  CROUP  «  VI 

SET  OlOCf  *  On  ! 

SET  FUNCUOU  ELtCTvnNic/C'"'RUJT  C»'Tl 

CiSTii  FCi  ;r.fl  f  7  ■  ■ »  iiiflASx  %3  ■»-. 


’tnupl  ##  <s«  ills 
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FIGURE  IX- 7  (cont) 


»  -  *  •» 


III  CO.JF.a21  srr.s.jj,,. 

SET  MuOEs?  C>Tf>Ea«2?  S^EaY, 3«,bl  r«...«o  fnn£a^t).  ro  PLil/f H  tT  OtlT 
SET  «u<> E*3  cm.Ca«3t  irt.i.SJ.M  P..07*  -o"E.*t  fo rLO/s-n« 

$£  *3D£*<j  C‘JmC*^3?  *F£a2«  5?»  *1  R»,03t  *onf*ni  Fft  rLH«/»jt  $?*  *tr$ 

S£  Cn'^€*«33  *FF«*#}6#al  *«v*r«MT  fo  rirtwrxcSV  Fn 

-SET  h.toe.6  com*  sre.<,,i8.«i  Pa.Jos  moof,,  *"/«!«*  C  8 
"f5»  ”'J„E*7  SFFa5«35,bl  Pa, jo*  Mr,n^ari|  ^T.,  phfs/stm  Ouhp  *r  f 

SET  *00f.mn  Cnt>E»5P2  8F£an,34i,6i  Pb  TO!  “^EtH t  STw  P<?FS/RUPTtJ»F  tiirp 

e  ns£:?.c?csr::. rs1*;*^** p,:o,,j  ^«rvxffiK&T5?i 

?j*_  *"rt2^***  Cl>f>€»81?  SFFat>,3fc,b1  Pa, 02*  unl)PaPPCP  AlB/Fn  /FXCSY  rn 

SET  nnnE.i?  ConcaBz  sfcs13.«3,?j  »oo».«oss  Sr  wwe  SiioSi 

s|t  -oQe* t «  C-weatafl  s22ai'ii'*l  b**'»6  *‘Cf'E*HI  CO-Bust  aib/SmtifE 

SET  mooebU  eonf.JSf*  22222'22’°  !*,027  "0f'€,Hl  COHSUST  *I«/ri.j,pE  0WT 

SET  J^Eat’b  cn^!!2I2  !**,>8*  C0O»UST  ATB/LO*  STEAM 

SET  «iOOE«iT  COOEaiflJl  *FEtJ,33.al  Pal, 7*  MQnC»LC*  eo-P^T  I,«522SL 

Set  R0nE*i«  conE«i«sf  2222s'm',>!  2**°!7  ’‘0*E“L°*  CO*bust  ai»/e*csv  fo 

^  ®  *  *  COf*£*}433  **,0*1  "0*£«L0W  iffc/i  nw  tiriu 

«i  ;»cn;- ""•••’••‘,  -•«*  ■»«■«-  8w iisas 

**?T*  *t’3Z’7b0<)  <STV,2  b^CTOR.i.po  Br.it.o,  spactobbIi  fc0  <r>fi  at 
•It  **(,®E*1  C0D£*#2i  5TE*lii3/fcl  «*«,300  MOOFatOa  Fn  F£u/LON  JTM*PB£S 

SET  *onE*2  C00E»«22  sr£.«.li,fc!  Pa.tsn  mo«EbLO*  Jo  FLO/ruw  but  “ 

SET  -f.oe.  3  c joe.bsi  srE.J,jjf&1  p;,950  ho^;h1  to  'zZ/M*i 

ir«r  C0O£t«3*  SF£*2,J2,t»!  F»#3C0  FO  FLO/HT  S**  Frfs 

PAWTS  FBao.USB  OTYBJ  BFACTftBaj  «p  pp.Q  art  ».PTnB.(  an  «an  In 

SET  RCOE.J  COnE-PJl  SFE.S.SI.al  Pa.|22  Jo^tS*  r£  £lS5L04  S?2  P.ES 

Hi  sis::??  2:2*  s  5BSS-J  io?H 

^2?*^  SFfvlsHs^X  a«f50F«NT  fn  riC/SMCKF 

SET  BSB{it  CDDE«PJ2  SrE«2.J2,Pt  P..0S?  pnnE.PI  FO  »LO/MfSTM  Pbe* 

set  a„0E-5  CnoE-«13  iWK.1,1  PalcJo  m*n \Wi  r0  Sto/Br!I%5 

*22  2onf2r  'i*  "^closs  nr  ctwRnivCo-B  cttl 

-1-  '  CfOE»l,75  SrE.lrltrtt  P«,10?  POOE.LilSS  or  PudcE/LOa  »ib 

C30E«I«2J  srE.3«33,fc]  Pa.ost  anoraul  CftM8UST  *jp/S**ok£ 

?E7  ^  COOEata22  SPEaJ, 3J,ti  Pa,oji  a^orawl  copRUST  A*H/F i *«  nur 

«*  . . 

s:»Ta®,sto^*s.^*2!eJS»"S»a. 

SFT  ann22t  2n2r*'°2f  SEE»3»33-*J  Pa, 050  Hnoranl  CD^PUST  AIB/Flane  OUT 

n2EW^  C00Eai«2J  SrEa*,J8,Ai  Pa.loO  «AOoraHT  CO^SOgT  AIB/EOa  STEAM 

SET  -£fa*  eaor2  2-2  2I2*2  22f2l  2"*n2C  C«*»»UST  aib/e*cst  n 

5  C^^C*14>2  Ft, 0^0  r^^UST  tT*/C*C3v  FO 

222  Tolll  2^2*!“2J  ^nr.'n-  com"u22  2i«/S£ , t2° 

J,  a°u5lJrtC  sr£a«,3#,Aj  P..15B  »0nr«i.oa  cn>-#''ST  TBJP 

SET  ru^CTjOw  TBA*!jOUCfBS 

PaPTS  rv.fcJ^jjoj  <4  T  T  a  t  BE  AC  TOBa  5.30  Bran. Bo  SFACTnpa*  o  SFaO  <tu 

SET  2nn22?  cnnr22as  Mnr.EaiP*  ro  rui/tOa  StS  pbes 

SET  nE>E*2  CnrsEaajj  SFE*0»PO#B1  P«,0B0  “(V’EaLO*  FO  FLOP/FLAME  out 

2!2  TJ”  =20E,!(J!  sre.iaii.*!  p-;bbj  moo2.“  FO  FLOw/SmoSe 

3£  Moncao  C0DEa,Jg  SFF«2,J2,oi  Pb.070  aOnEaMJ  FO  FLOa/hl  STW  PfTFS 
cSa  ^0l)E*“33  Bfei«,]a,3|  bb.OTo  MpPEat'!  FO  FiO»/f*cSV  FO 

«5t  C0r»E«ttt2i  SFffc  J,  J3, 6 1  Pi.ifT  ppprant  CO^SUST  *ib/<mofe 

St  p'JOEa?  CTIUE«T322  ?F£hJ,;j,h  Pa,9go  MOOraMj  COMBUST  AlB/-tiME  OUT 

••**  *u  Tamp*  tiiiEBs  pCCaSE  Type  *I*.rn  t*mp4»  ,,,, 

****  *U.  US£»S  OlALJUG  l^CAL  STamfCTSI)  -VmpEbS  **•* 

****  KfASE  TYPf  ■INFO  BUMPERS'  »**, 

NFS!  BCCO'I  AT  12.31, BJ  riM  >'|B'IOVS2, 

2!2  1  u*3  SFE0*,3".*t  Pa.OFO  Mnoraui  co««UST  aJB/Uu*.  jtsa'- 

**^!?^*^  CO0E«t<l31  5FEaJfS|,0}  fa.Jlt  Mr.i)Fai,ijM  fumHUST  A!RF!,MQ*r 
22*  p'1”2TJnNf'~n22i“|i1?ro^E*'’*5*,fci  '■*tS5  ■'"oEaUTTN  COPPUfT  Ai«/e*c»v  Fo 


FIGURE  IX- 7  (eont) 


**"TS  T y rfbo.??  jt»icTnp.),H  sfbo.so 

SET  NW5E*t  CO.ifsis^i  SFCa3«33,at  Hnoram  COMBUST  aib/Shokf 

SET  «OPt*i  COD£bi«32  SFc»3«33,6t  Ba.37t  cn«»eii$T  AIB/Fl*1^  OUT 

S£?  RQOEaj  COOEat«?j  SPRat*,  33, aj  Pa,4?a  aPpra*!  coaSUST  atb/lo*  ST£4* 

SET  anOE*«  Cnyr.M',Mia  5FfjJ,33,5i  Pariii  Mnnraar  CflaRtlST  AIS/SHOfC 

SET  -oft£»5  C0O€« 1  a 31  JFCbS, 33,61  »«,!!»  anf>r.Lfu  ro«BUST  aIR/SmOKF 

SET  i(jOE*6  CO('E*)«32  SFP»»j.3fc(iftl  Pa.ojR  "riNFai.Oa  ro**^UST  AIK/EkCSV  FP 

S£T  a[*0E»T  Crf'C*<a31  SFF.aP,38«6i  Pa, 05®  t^OFtni*1  C0“HUST  AJP/LO*  ST*4 

SET  *4r»0E«F  COOE«t«34  SF£a4,3«,6l  *«,<)■*  aPftFaLC*  COMBUST  4IR/8LR  thp 

8£'f  Croup  5  ON 
SET  3L0C*  %  On 

SET  FumSTJOk  ELECTSUWe/OKUM  LVl  CNTL 

S*«Ts  FP«H5,7175  OTVaJ  PFAfToRat.Si  bp»0.?(?  SFacT0R*3.25  SFaO.80 
SET  m0oe«i  Cone«Sai  srca3.3i.6i  pb.3«j  «nP*«Hj  *>b.;*  lvl 
SET  **or>t*^  COde«3sj  SFEa2v,50,Bi  Pa.oaa  aruvrant  p»um  lvi/S^ICL  TO  Tlj»r 
SgT  *»00€*J  C0PE*SS1  SFcat. 34,77  Fa, 244  ao*£al.OB  OBit*  LVl/Ht,*1  TRIP 

S£T  “O0E*a  C3DE*JS2  SF£aa,3a,al  Pa,t26  mopebLO*  OB*''-  LVtrat  ST*  TE*P 

SET  4*0f'E*5  Cf*OEBJ5J  SF£e*#36#at  F*,0«2  “Of'EsL'M  P8IH  LVl/HI  SLB  TEMP 

set  fuoe*4  C0nc«*3  SfE«ia.i«.7a  Pa.oas  *o*F«FALSE  alar* 

SET  mdD£*7  C0PE*8a  $FEa|?,A2,72  Pr,  104  aonfaCOSS  OF  CONTROL /ORUN  LVl 
SET  FUNCTION  TRANSDUCERS 

P»PTS  ro*35.««oo  3TT»2  rfactORbi.S*  RF«&.*o  SFACTnO.a.ao  sf«o.m 
SET  **oOE*t  COnfaS*!  $FEa3, 33.61  P*,iJ5  “ODEa*!  0*U*  LVL 
SET  “f*OE*2  COnE“3«2  SF£ a20 , 50 , a  1  Pa, Oil  nOofbhI  pay«  LVl/SPILL  to  TUBS 
SET  *or>E*3  C0UE»35!  3FEa«.14  77  PB.4S5  aoOEaLOV  Orijw  lVl/RL»  TBIB 

5£T  «0OE*4  COOE*352  SFEaB.la.al  Pa.ojT  *On£aiO*  obu*4  tv/wx  $Tt*  t**EF 

S£T  aoP£s5  CniiE*3S3  SF£a4«3B.6l  Pa, 50a  “OFfaLO*  brum  lvl/HT  6LB  T£ap 

Set  SpEat2**?»72  P*,Sia  •*0r*CBLnSS  of  COntbol/ORun  lvl 

SET  BLOCK  a  ON 

»£T  FUT’CTlO‘4  EL£CT«ON|C/F«  CNTL 

P4BTS  PRa42.7aaB  „TVBi  nriCTORat < 32  BFan. ?2  sriCToRal.**  SFma.aa 
SET  Miif*E*l  CODt«J2  5FE»S»33,T7  pa,SU  "OOfaLO^  FO  PBrs/LO»  oBu*» 

SpT  “Ol>Ea2  COUE«S2  SFEat3*B3«73  ?a,008  “OPCatDSS  OF  “E^OTE  PaNUil. 

S£T  *«00Eai  CPC(E*45t  SFEal<33«a3  Pa,lSi  »Of»TaHI  Fw  PRCSS/hi  0*<UP  LVL 

SET  *oPE»«  CPOCaRS?  SFfaT < 37«o7  Pa,lSi  vo^E***!  r B  BBESS/HJ  f>Rua  LVL 

SET  «f)0£a5  CO0EB87  SFEat2f«**72  Ba,ll«  -OOCaLOSS  07  CONTBOL/Pa  BnP 

set  function  TPiusDuCEBS 

P*BVS  F.JB37.S400  QTVBi  «F*CT0R«J,30  BF«0.*0  SF4CTnPaa.ao  SFaO.«4l 
S£T  acOfat  COOEa32  SFEaJ,33t7T  Pe,S£T  nooTbi  Ox  FO  PbEs/lO«  ORU‘,‘ 

SEt  *OOE«2  COOEB95I  SFE»Si33/63  Pa.IaS  anojaHl  Fa  PRESS/MJ  oRun  LVL 

SET  NCWEa J  COUEb85?  SF£aT*37,a7  P»,laB  MfinpaHj  ?*  PBESS/HJ  ORU*  LVL 

!£T  «onEaa  C00£a87  3FEat2,fl2,72  Pa, 337  HOOfaLOSS  OF  CONTBol/F*  BpP 
SET  GROUP  7  0»< 

SET  BLOCK  7  Oh 

SET  ruNCTlON  ELECTBOMtc/ft.  RECBC  VLV  CNtl 

P4RTS  F**t*«37S2  RTV*1  BF4CT0Rai,32  BFBp,?2  3F4CTOBB3.25  3F«0,BP 
SET  POCEai  Ct'nEajT  SFca«(3l.4l  pa, 155  KooForv  B£cpc  vlv  OPM/LO  r,SUN 

1£T  «nf>Ea2  C00E*28  SF£af(35rSl  Pa, 205  annFaF*  ®ECBC  vlv  ClS/?np  f’4IL 

S£T  “00£aj  COuEaSj  SFF.a*,u, Jfl.’a  Pa, 32c  woPEaFtLSC  4L*RP 
SET  -0DEB4  CODE«S«  SF£b1 J, 43*73  P«.32P  m00Eb4L4»p  F4l'S 
S£T  function  v*LVCS 

Parts  FP«12,7a00  QTVal  BFACTORBI.OO  BFap.ap  SF4CTOP*P,ao  $F*V,«o 
Set  «f)Oc*l  COOEtJ 7  SFEaa,3l,ai  pa,5no  mooCbFn  RECRC  Vlv  UPN/LO  OBU* 

SET  «it(JE«2  CODEBPR  5F£a5, 35*61  Pa.BfiO  PopFaF*  P£CBC  VLV  CLS/Fm? 

S£T  FUNCTION  TBanSOUCERS 

P*BTS  FBB2*, 3aon  orvai  pFACTORai.Sft  BF»o,F*  SF4CTr.aaa.ao  SFaO.oa 
SET  “OOCai  COPE«2T  SFC»a.  31,61  pa,a7i  NpiftF aF k  “ECRC  VLV  OPn/LO  DBU** 

t£T  MOOEaJ  COOt'CS  SFEa5435tai  Pa,32B  Nf>oFaFfc  BEC^C  vlV  CLS^Fp*  FAIL 

Set  CROUP  S  on 
SET  mlock  8  OH 

SET  Function  ELEC  TRONIC  /  S*"Tb  STm  TE-p  Cat! 

Parts  rwaba.osstt  0T7*s  pfactorbi.ie  pfbo,P2  *FACTor*a3,25  sF»o,fo 
SET  NtiO£» 1  COOE»aO  SFfal I |*1 »61  Pw.Sal  aO^E  LO«  5T*  T£aa/BFT  STm  TB? 

SET  n0R£»2  COOfaai  &F£bj,3J,bi  p«t227  anoPaMj  STa  TE^PVBHPTURE  TUBE 
Spt  MnrtFat  rdnmj  utxt.ax.il  •<  ini  vnnr>init  «*  grunt  m*nium 
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FIGURE  IX- ?  (cont) 


S£T  C0i>E**3  5fr»««.aav7a  Pa’.>*g  MO*iriFALSF  ai  ii'..  ‘  ~ 

*£T  *0O£b5  Crt»E**o  SF£»tl,aX.7S  pg.taR  ‘•Of'E«*L*eH  faIls 

SET  ES’cT?f,rvH^SSF",1?,<'2,7?  P**175  ,1F  CO-TPOL/ST-  P6fS 

»APT3  F*bJ*.7i,0v  7TV«2  of  *  C  TOPa  J .  01)  BFBC  Oft  Sr*PT(,B«l»  ,(|  wig  at. 

«t  S2c!ilr5ns^i,;i:i,,*,,%i  ’•,-onft  5T<’  t^p':'t  *" 

set  r^c'lo*  p‘*38’  *T“  te-p/wuptu-i  ncc 

*****  FP«a,(M3?  5TT«2  BFACTORal.SO  BFa<5  *0  BFACTOp.a  tF.,1  ta 
•It  C£(’E*60  STfii  i  ,u;  ,bl  P«,?5ft  >»n,>E*t.oa  57*1  TF*o/nFT*ST“  tbp 

i5-r  *5?*^  C*V*£»61  &F£«S,  33#61  ST«  T£wP/oUPTU*f  Tt*P£ 

«;  s:v?;ir"*  *■••».  wm-  -"i'ssa.'a. 

*|T  «loc*  *  fin 

Set  fu**c tiQ-n  ELEC tbonjc/ST*«  Dti^p  c^tl 

*****  f««iJ.u57  UTT«1  pfactobbi.s?  rfbo.;*?  sr*cr0p«3  ?r  sr.o  .e 

SET  “ut  £*J  COOE»HP  SFEaS, 35(61  Pa,5?0  “hof** te*n  OiihpVaIi  s  * 

SET  *O0Ea£  cn»r»«Pf  SFE«8,l»t,6t  PB.pgj  «0nE«8TH  r>u*P  vlv^astlv  ftPFi 

SET  rnvcTloS°^*vcJ  #rr*T*57*ftt  -•»"€«**“  DU**  VLV  TOTAL  OPE* 

SET  *ei£»2  COPE*oot  Sfr.**.)*,hi  Pa. *47  -*•'£. stm  0S-p  vlv^abtlt  c»fn 

. .  s“-:  XI  •& 

set  -oftE«!*coDc«nv!ire2J?^^ 

**!\f**  C0!>£»^01  P**i3t)  «Qf*£*$TM  $u*p  VLV  PAPT^Y  nP£N 

SET  6L°CP  10  U** 

SET  F.^cT^-t  ELEcTBONic/rHO  Ff>  $r*rfT/RT<iP  c-TL  unntiLf 

*****  FB«i5.3aP«  tl T r •  j>  ar»CT0»»i.32  SFBn.Pj  $F4Ct2bbS  »  «•„„  .« 

ArT  «nnr*l  SP£«2#32*b^  pf>0£*AT0i$y  rp$Tw?/wi  F4%q£$ 

?5_  C^OEasa  SE£a<S(3S«65  Pa. 33]  HroFgF*  Ph*  Fill  omf  TO  CmTL 

«:  :Cmc;!o"S"w5-«  '■•*”  . . •”■>■'  "n«t 

SET  fjsnup^j  i^u***5  5FC*15,a5'7,  >*•.•50  nijO|»F*  P«p  aUTO  3-  MILU*E 
SET  5LftCK  U  ON 

SET  FUNCTION  ELEC t?On ;c /Of AFPaToB  lvL  CnTI 

*****  PPaiO,«7»2  OTr.j  »F*CTO»*i,JE  wrap.lj  SFiCToPaJ  ?<  tF*0  *0 

S»T  ^onr*fc  P,*<l72  “OrF*»<T  OEifSiTOR/LO-  0»U« 

_ ^ ®  **  £  o£rE5  SFEa3i33t6{  piaa«Q  inDT«i  0#  CCaFBaTOp/lom  phiim 
«5»  CCuE»S2  SF£*|  3,03(73  pb.OI*  -oftC»L"SS  pP  Pfi'OTE  *'*nual 

SET  Fu#jTiON°ViLVEs”£"l2,<l8,7?  ,,**‘'a,  OP  CONTPCl  /OEiEfli Top 

P*pts  FRaeS.Saro  qTv«  RriCTORa?  .00  wrmi 5  an  SFiCTfiBall  SFBo  a», 

SET  >*10E«1  eor>E»2«  SF€ae,3?,fti  Pa.TSo  *«nn7»Mi  OJ  iEBi  To»/(  oi.  OR  tin 

Srr  p^r rtn^tt**5  5F£a3*33»#l  P*. 250  *<rinE*>  0«  OEiE» A T09/10*  (Mu* 

Set  function  TRiNjoucERs  *■ 

^rTS^!'“l9:i3l,°. 077,1  Pr4CTOPat,30  arae.ao  SF4CToOb6.6o  SFaO.«« 

«5»  Ct'0Ea?<i  p»#$73  Nn[)E*Ml  OEif PiToR/LO3'  U»un 

Set  S:*”:r25  SFE*3'53'*1  P«,J£T  OK  PE*E»ATOB/LOo  OP'JR 

SET  Sl^C"  12  on 

5£t  FUNCTION  ELCCT»0»iJC/FO  nEaO£B  T£NP 

\iVi.  0TT■'  *P*CT0Pai,3S  Pran.72  SF »C T0»aS, ?«,  SFaO.So 

S£T  b<jOE«1  COuE«aa  SFfaa.je.TT  pb,S|7  nunrn  n  fo  TE"P/*“'’SE 

III  2n2rl!  SFF«s*^***'  **.i”  »*0.>'6MI  FO  te np/possl  plash 

SFT  m..!%f«\  Ooof*.  ?  ir««n,ji,M  oa.nST  -orr.i  n««  nr  grnnrr  minha: 


/' 
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FIGURE  IX- 7  (cont) 


SET  njOFay  Ci«'F«oj  5rt«»?.8^.72  P*,0«S  M.*PE*LtiSS  riF  CONTROL /Fo'’tfmp 
S£T  F*JHC Y  i  p  <  valves 

»*«rs  r«»j6,(isou  ltv*i  pr*CTO‘-“t.eo  RFao.Ro  sr*cTno«l j.^p  sf*o.R6 

S£T  »ont'*l  cfnc*u#  SF£*a,3R,77  pa, sir  Mrtr>F«i  r»  ru  tf^'P/s-okf 

|£T  >*00£*2  CODE***  .SFFa3,33.6b  PB.RMt  «nftF»M|  FD  TF«P/PoSML  rL*5« 

SET  FijNC T J0<*  TPAusnueE»S 

F*OTS  Fii««,.i7S6  OTvai  «F*CTr*»«t .  In  NFap.an  »F*CTftP««,,»,n  SF*0.*U 
S£Y  “0CE*1  CO<fE*R«  SFF««,Ja,77  pb,37£  MrnFaiP  F«  TEf'P/5u0FE 

S£7  MCDE»2  C0y£*«6  SFE*J. J3.bO  P#.*13  *it>l>F«nI  Fli  tFnP/PoSIL  FL4$m 

S£t  -or>£«j  COC£»«J  SFE*l2»a2*72  Fa.2l5  moOebLOSS  OF  Control /Er,  tfhP 
*£T  caoup  tJ  o>; 

S£  T  BlPCF  IS  ON 

SET  Function  EtECTBONIC/Fn  b£c«c  cnTL 

FkBjtt  Ft.«j3,001»  i>ry»i  rFactowbj .3?  SF«(1.?J  5FACTrtPa3,2S  SFaft.lM) 

*ET  *'£OC*l  COD£sJei  SF£aR,3fl,77  P«.2?6  MrjnF*LOM  F n  B«ES/MLb  T»jp 

S£7  Mfn>£*2  COr>E»J*J  SF£*a>3«>77  P*,«52  MOOfaLDa  Ffl  P*tE$/FL*f*E  OUT 

Set  «nt>£»j  code bjr  SFE»n>ai,3«  p*,r2o  **or>f *h j  fo/mi  st«  pressure 

Set  FijmCTJUU  valves 

PaPTH  rw.jS.AbOO  fjTV«l  PF*CT0B«!.«0  BF«o.»0  SF*CTf!R«l  l.«,0  $F»0.#6 
SET  mmOE»1  CPt'E«3«l  SFC«a,Jfl,77  Pa.JRT  KOf>E«tO"  Fn  PP£S/*LR  TRIP 

S£T  m,)DE»2  Ct)U£«3«?  SFE»a,Ja,77  P*,1R*  nn^C«LOt*  FO  PNES/Fla*E  OUT 

SET  *cDE*3  CCOe«JR  SF£*t  t  ,«1 ,3<i  Pa, 505  mO^EbMI  FO/hI  STf  PRESSURE 
SET  FUNCTION  TRANSDUCERS 

Parts  Fa«o.sooa  «m«i  rf actor* i  ,  so  rf«p.#«  *factorp<>,60  $r*o.#a 
SET  «t>0E»l  CUOC«SO  SF£*il,«l,3«  PPI.000  DPf»r»Mi  fo/hI  ST“  PRESSURE 
SEt  GROUP  1 «  ON 
Set  P(.OC«  l#  ON 

S£T  function  ELEC  TRONIC  /lO  PUMP  cntls 

parts  f«*7.i57r  oty*2  bfacto«»»,32  rf*o.p?  pfact''b»s.2S  srao.so 

SET  “DOE* t  COOE«SO  SFEsS.SS.*!  P*.20R  *r>r)f*t  D  »«P  FaIl/LO-  Lt’ 

Set  <*Cf!£»2  C0uE«96  $F£>13>43>?3  Pa.TRt  mO^EbLD  P“P  AUTO  S*  F * ILUR£ 

SET  FIIOCTIO‘1  S-ITCHCS 

Parts  fr*2o,J3oo  «ty*2  rfactorri.t*  rf«o,*o  sfactor«r,6o  sp«°.«»i 
Set  mo OE»l  COOE*5o  3FE«5.55,*H  Pa, 072  mode*) 0  PUP  faIl/lo-  lo 
set  “OOE»2  CODE*R6  SP£»1J»*3»73  P*.R2"  f*ODE«LO  Pnp  auto  S«  r*lL"PE 
SET  function  RELAYS 

parts  FP»J.S300  fJTY»2  RF  ACTOHs  1  .  J  •  BF.0.5P  RF  ACTftRPb  ,  f,0  SF«0,3») 

SET  MOOE«t  C00E*9R  $FC«iS,A3,7S  P»l,000  M"r>r»LO  PmP  4UT0  5“  EaJlURE 

$£T  f}Rf]UP  J5  on 

SET  «LPC«  IS  on 

SET  FLINCUON  ELECTRONIC/ITC 

parts  FR«tJR.56ai  otr«i  rfactor«i,32  rf«o.?p  sFAcrnR«3.25  sfro.po 

Set  f*onc«l  COncaRT  5Fe*10,A0,M  P*#27r  «OPe*FaL3E  TURBINE  TRIP 

SET  «oOE*2  COOEaRa  SP£ai<r<RfRt  P*,ORP  »0nCa*RD/4ST  vlv  SETTING  FaTlS 

S£T  «*oO£a 3  COOEaRR  SFEajR,aR(b|  Pa.lflp  MOPfaLOSS  OF  CrAS«  BaCk 

*£T  M0PE«a  COO£«100  SFCal’iR^fRl  P»,0a*  mOofimRONO  ano/aST  VLV  OPENED 

Set  «rr>e»S  CT'OERtOl  SFEBl!,aj,*j  Pa,0«3  MOftriLOSS  OF  RaTE  C*<*NGE 

Set  MfiOE«»  COOE*lOb  SFEa20,3t#bl  Pa, 074  *00**1.08*  OF  OV£PSP£EC  TRI° 

SET  muDE a 7  CODEatoT  SFfalA, 06,61  P*,1R6  YO0f«L0SS  OF  TURP  TRIP 
Set  MOOfcas  CUOEalSA  SFE*l*SO,pO  P*,o!«  -ODEaSiHFT  STOPP£0  In  APD 
SET  M.inE*R  C0OE*10R  $FE»t*5n»6n  P*,OaO  *00Ea4P0  In  0'iE  OIRECTIOm 
SET  "ODE* 1 0  CUOE* 1 t  0  SFE*^0,50,6t  P*,|77  “OOEaLOSS  OF  *PC 
set  rt.*'CTTCN  r.-*iTcMEs 

•arts  Ff*l23,5Poo  UTYai  RFACTORat.tS  RFyc.So  SF*CTor*6, fc()  SFai),aa 
*ET  “gO£ai  CODE* 1 03  SFEwt3,R3r6]  Pa, 028  MOo*ai.OSR  OF  TUPNING  GEa» 

StT  «00£«2  CU0E*107  SFC« 1 P . «R,  *«  I  P»,62P  MPor«LOSS  OF  TUR«  TR£P 
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Using  these  data  summaries  and  the  FMEAs,  system  effects 
and  mission  effects  can  be  traced  back  through  the  subsystem  to 
the  function,  and  if  so  desired,  to  the  individual  parts.  As  an 
example,  "Boiler  Trip/Correct  and  Restart  Boiler"  is  the  number 
one  contributor  to  criticality  during  normal  steaming.  This 
accounts  for  24.6568  percent  of  the  total  criticality.  A  major 
contributing  subsystem  can  be  determined  by  observing  the 
percentages  in  the  right-hand  column  for  the  same  system  effect. 
Examination  of  the  subsystems  shows  that  the  burner  management 
master  subsystem  contributes  a  total  of  5.16  percent  of  the 
total  and  is  the  highest  subsystem.  This  can  be  further 
isolated  by  examining  the  functions  for  the  subsystem.  For  this 
particular  system  effect,  electronics  contribute  .024  per  cruise 
and  the  valves  .023.  If  it  is  desired  to  determine  which 
specific  electronic  circuits  are  contributing  to  the  system 
effect,  the  criticality  reference  number  can  be  obtained  and 
found  in  the  failure  modes  summary  sheets.  The  failure  inodes 
summary  sheets  will  then  reference  the  individual  line  items  in 
the  FMEA's  which  contribute  to  that  note  number. 

Although  boiler  trip  is  the  most  critical  during  normal 
steaming,  it  is  not  the  most  frequent  system  effect.  The  most 
frequent  system  effect  is  “alarm/activate  remote  manual"  which 
occurs  .4956  times  per  cruise.  Although  this  system  effect 
occurs  on  the  average  once  every  two  cruises,  it  is  ranked 
fourth  as  far  as  criticality  because  of  the  minor  mission  loss 
probability.  Upon  examining  the  system  effects  for  maneuvering, 
the  "alarm/activate  remote  manual"  system  effect  moves  up  to 
first  place  in  criticality  with  a  contribution  of  37.9  percent 
of  the  total.  Because  of  the  comparatively  short  time  span  for 
maneuvering  versus  normal  steaming  (20  versus  710  hours),  the 
probability  of  occurrence  decreases  significantly.  The 
probability  of  occurrence  drops  to  .01359  but  the  mission  loss 
probability  increases  from  .1  for  normal  steaming  to  .6  for 
maneuvering. 

Based  on  the  figures  in  the  system  effect  summary,  it  could 
be  expected  that  approximately  one  time  out  of  100  while 
entering  or  leaving  port,  the  vessel  automatic  propulsion 
control  would  have  to  be  switched  to  remote  manual  operation. 

Examination  of  the  system  data  shows  that  approximately  .92 
alarms  can  be  expected  during  normal  cruising  per  month.  This 
is  relatively  close  to  what  has  been  reported  in  the  literature 
search  when  it  is  considered  this  data  does  not  include  all  of 
the  system  alarms.  The  total  system  failure  rate  amounts  to 
approximately  2.6  per  month  which  also  compares  relatively 
closely  to  the  3M  data  which  reported  1.6  per  month  but  did  not 
include 'valves  and  actuators. 
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To  summarize  the  data  for  Phase  I,  the  top  contributor  to 
mission  criticality  is  the  possibility  of  permanent  boiler  or 
turbine  damage.  Other  mission  effects  such  as  "temporary 
reduced  RPMs"  and  "small  performance  degradation"  are  relatively 
non-critical  during  normal  steaming  and  have  a  relatively  small 
mission  loss  probability.  The  possible  boiler/turbine  damage 
effect  is  usually  the  result  of  failures  which  are  not  properly 
alarmed.  As  an  example,  there  is  no  alarm  for  low  steam 
temperature,  and  consequently,  wet  steam  can  enter  the  turbine. 
During  maneuvering,  the  possibility  of  boiler/ turbine  damage 
drops  down  to  third  place  with  respect  to  its  contribution  to 
criticality.  This  is  because  the  vessel  requires  the  full 
maneuvering  capability  and  the  two  top  mission  effects,  "small 
performance  degradation"  and  "temporary  reduced  RPMs",  become 
relatively  critical  during  maneuvering.  During  phase  3,  the 
light-off  phase,  a  major  delay  in  light-off  becomes  the  top 
criticality  contributor.  This  would  be  where  manual  light-off 
is  required,  introducing  a  good  possibility  of  departure  delay. 
The  second  ranking  contributor  to  mission  criticality  is 
possible  boiler  damage  during  this  phase.  This  is  mainly 
because  of  the  potential  for  explosion  during  boiler  light-offs. 


In  addition  to  the  analysis  of  the  effects  of  the  three 
phases,  a  computer  analysis  was  performed  to  determine  the 
effects  of  the  adjustment  factors.  These  factors  adjust  the 
basic  failure  rates  for  temperature,  quality,  premature 
failures,  and  preventative  maintenance.  The  justification  for 
these  factors  was  discussed  in  Section  VI.  as  previously 
described,  each  subsystem  is  divided  into  functions  for  the 
computer  analysis.  The  functions  consist  of  classes  of  parts, 
such  as  electronic  parts,  sensors,  valves,  etc.  Each  class  of 
parts  has  a  different  adjustment  factor. 

Appendix  G  contains  the  input  data  for  the  quantitative 
criticality  analysis,  and  gives  the  associated  factors  for  each 
function.  Following  the  input  data,  the  entire  computer  output 
for  the  basic  factor  analysis  is  provided.  Of  the  remaining  four 
factor  analyses,  only  the  first  four  subsystems  have  been  in¬ 
cluded  in  the  appendix.  Figures  IX-8  through  IX- 12  are  the  five 
systems  effect  summaries. 

The  factor  analysis  was  performed  for  phase  one,  i.e.,  the 
normal  cruising  phase.  In  this  study,  a  normal  cruising  phase 
of  710  hours,  or  approximately  one  month  was  used.  Using  a  one 
month  period  permits  a  convenient  comparison  to  other  literature 
related  to  commercial  vessels  where  failures  are  usually  ex¬ 
pressed  on  a  per  month  basis. 
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System  Effects,  Basic  Failure  Rate 
and  Normal  Steaming  Phase 
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System  Effects,  Temperature  Increased  to  50°  C, 
Normal  Steaming  Phase 
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The  system  failure  effect  summary  for  the  basic  failure 
rates  shows  "alarm/activate  remote  manual*  to  be  the  highest 
contributing  system  effect,  accounting  for  19.1%  of  the  total. 
The  second  ranking  system  effect  is  the  “not  applicable  to  thi3 
phase"  and  accounts  for  approximately  19%  of  the  total  systems 
effect.  If  the  "not  applicable"  is  deducted  from  the  total,  the 
"alarm/activate  remote  manual"  accounts  for  24%  of  the  total 
system  effect.  The  expected  frequency  of  "alarm/activate  remote 
manual*  for  the  basic  failure  rate  is  .4596  per  cruise.  When 
the  temperature  is  changed  from  35°  C  to  50®  C,  the  expected 
frequency  of  "alarm/activate  remote  manual"  increases  to  .6142 
per  cruise.  In  order  to  better  depict  the  effect  of  the  four 
factors  upon  the  system.  Table  IX-1  was  compiled  from  the  five 
system  printouts.  The  total  expected  frequencies,  deleting 
system  effects  numbers  one  and  two,  which  are  "not  applicable" 
or  "no  effect",  show  the  total  relevant  frequencies. 

Using  the  basic  failure  rates,  the  expected  frequency  of 
relevant  problems  is  approximately  two  per  cruise.  Breaking 
this  down  to  the  various  system  effects,  it  is  apparent  that  the 
frequency  of  occurrence  should  not  be  a  serious  problem  during 
normal  cruising.  However,  when  using  the  premature  failure 
rates,  which  are  approximately  six  times  the  basic  rates,  some 
of  the  previously  insignificant  problems  become  significant.  As 
an  example,  system  effect  number  eight,  which  is  "MPC  reduces 
RPM/correct/resume, "  has  an  expected  frequency,  using  the  basic 
failure  rate  of  .06  per  cruise.  Using  the  premature  failure 
rates  increases  the  frequency  to  .37,  or  approximately  once  in 
every  three  cruises.  On  the  other  hand,  increasing  the  quality 
level  of  the  parts  from  commercial  to  military  grade  reduces  the 
expected  frequency  by  approximately  50%.  This  same  reduction 
also  applies  to  the  institution  of  a  comprehensive  preventative 
maintenance  program. 

The  related  mission  effect  for  each  system  effect  is  given 
in  the  column  headed  ”MFE"  of  the  System  Effect  summary  print¬ 
outs.  For  system  effect  number  three  "alarm/activate  remote 
manual,"  the  associated  mission  effect  is  also  number  three. 
Figure  IX-13  gives  the  contribution  of  the  mission  effects  by 
subsystems.  The  mission  effect  for  "alarm/activate  remote  man¬ 
ual"  is  "small  performance  degradation."  Although  this  is  the 
number  one  contributor  to  the  frequency  of  system  effects,  it 
contributes  only  8.9%  to  the  total  mission  criticality.  This 
occurs  because  this  mission  effect  has  a  relatively  small  prob¬ 
ability  of  a  total  mission  loss.  The  largest  contributor  to  the 
mission  effect  "small  performance  degradation"  is  the  number 
four  subsystem,  Combustion  Control  with  27.8%  of  the  total. 

The  general  conclusions  that  can  be  drawn  from  these  sta¬ 
tistics  are  that  the  relative  frequencies  of  occurrence  of 
system  and  mission  effects  for  the  basic  failure  rates  should 


Summary  Of  How  Factors  Change  The  Frequency 
Of  System  Effects  -  Normal  Cruising  Phase 
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TOTAL  (excluding  1  and  2)  1.9848  2.4263  1.0581  12.1900  1.0691 
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not  create  a  great  deal  of  concern.  The  premature  failure  rates 
and  the  resulting  system  and  mission  effects  are  considerably 
higher,  and  should  be  of  concern.  However,  these  rates  can  be 
substantially  reduced  as  explained  in  other  sections.  If 
specific  system  effects  and/or  mission  effects  are  not 
considered  acceptable,  the  effect  can  be  traced  back  th'rough  the 
data  and  the  individual  parts  or  assemblies  causing  them  can  be 
isolated.  Once  the  parts  or  assemblies  contributing  to  the 
unacceptable  system  or  mission  effect  have  been  isolated,  the 
necessary  corrective  action  can  then  be  taken.  Specific 
techniques  for  improving  reliability  have  been  detailed  in 
Section  x.  Also,  some  of  the  examples  of  poor  reliability 
practices  which  have  been  found  through  the  criticality  analysis 
and  other  facets  of  this  study  are  presented  in  that  section. 
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TOTAL  (excluding  1  and  2)  1.9848  2.4263  1.0581  12.1900  1.0691 
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Contribution  of  Each  Subsystem  to  Individual  liission  Effect 
(Using  the  basic  failure  ratio  and  normal  steaming  phase) 
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Figure  IX-13 
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not  create  a  great  deal  of  concern.  The  premature  failure  rates 
and  the  resulting  system  and  mission  effects  are  considerably 
higher,  and  should  be  of  concern.  However,  these  rates  can  be 
substantially  reduced  as  explained  in  other  sections.  If 
specific  system  effects  and/or  mission  effects  are  not 
considered  acceptable,  the  effect  can  be  traced  back  through  the 
data  and  the  individual  parts  or  assemblies  causing  them  can  be 
isolated.  Once  the  parts  or  assemblies  contributing  to  the 
unacceptable  r/stem  or  mission  effect  have  been  isolated,  the 
necessary  corrective  action  can  then  be  taken.  Specific 
techniques  for  improving  reliability  have  been  ietailed  in 
Section  X.  Also,  some  of  the  examples  of  poor  reliability 
practices  which  have  been  found  through  the  criticality  analysis 
and  other  facets  of  this  study  are  presented  in  that  section. 


X. 


RELIABILITY  DESIGN  AND  PERFORMANCE  CRITERIA 


The  reliability  design  and  performance  criteria  discussed 
in  this  section  were  developed  as  a  subtask  of  Task  III.  The 
overall  Task  III  objective  was  to  translate  the  results, 
findings,  and  observations  of  Tasks  I  and  II  into  a  baseline  of 
reliability-related  information  suitable  for  use  by  the  Coast 
Guard  in  its  various  activities.  During  this  particular  subtask 
of  Task  III,  design  and  performance  aspects  were  considered  from 
the  standpoint  of  their  role  in  improving  reliability  and 
reducing  system  downtime. 

In  conducting  this  subtask,  DOVAP  evaluated  such  factors  as 
design  practices,  operational  characteristics,  quality 
provisions,  etc.,  that  can  impact  the  reJ.iability  of  engine  room 
automation  systems.  A  number  of  candidate  areas  for  improving 
the  probability/ effect  of  engine  room  automation  system  failures 
were  identified  and  categorized.  These  areas  are  supported  by 
examples  taken  from  the  findings  and  observations  of  Tasks  I  and 
II,  and  from  information  obtained  from  firms  specializing  in  the 
repair  of  engine  room  automation  systems. 


A,  DESIGN  AND  PERFORMANCE  CRITERIA  BASIC  OVERALL 
REQUIREMENT 

Among  the  documents  reviewed  during  the  Task  I  Literature 
Survey,  there  is  general  agreement  that,  except  for  Navy 
applications,  reliability  factors  are  seldom  considered  in  any 
systematic  fashion  by  the  U.S.  maritime  industry*.  This  was 
borne  out  during  DOVAP* s  Task  II  detailed  reliability  analyses 
when  a  number  of  questionable  reliability  features/practices  was 
noted.  These  ranged  from  "omissions*  (e.g.,  the  lack  of  any 
consistent  policy  for  stress  de-rating  of  electronic  pa^ts)  to 
the  incorporation  of  hardware  configurations  that  increase  the 
likelihood  of  serious  failure  modes  (e.g.,  incorporating 
redundancy  in  trip  circuitry  without  regard  to  the  resulting 
increased  potential  for  "false  trips"). 

Throughout  the  study,  the  common  denominate r  of  such 
observations/findings  appeared  to  DOVAP  to  be  a  lack  of 
awareness  of  the  causes  of  unreliability.  This  is  perhaps  best 
illustrated  by  its  obverse.  That  is,  in  areas  where  reliability 
considerations  are  generally  well-krown,  few-,  if  any. 
questionable  practices  were  noted  (e.g.,  "fail  safe" — a 


*See,  for  instance,  Appendix  A  Log  #116. 
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well-known  concept — appeared  to  have  been  implemented  with 
rigorous  attention  for  such  off-on  devices  as  relays  and 
solenoid  valves). 

DOVAJP  feels  strongly,  therefore,  that  the  basic  underlying 
requirement  for  improving  the  reliability  of  marine  automation 
systems  lies  in  improving  an  awareness  of  the  causes  of 
unreliability.  Further,  this  awareness  should  become 
second-nature  to  all  involved — designers,  inspectors,  operators, 
surveyors,  design  reviewers,  etc. 

To  assist  in  improving  this  awareness,  DOVAP  has  organized 
tho  reliability-related  design  and  performance  criteria  into  the 
specific  categories  that  either  cause  unreliability  or  prolong 
system  downtime.  Stated  another  way,  these  categories  provide 
groupings  for  approaches  to  optimize  the  probability  and/or 
impact  of  failures. 

These  categories  are  defined  and  described  in  Section  B, 

THE  CAUSES  OF  UNRELIABILITY ,  below.  The  reliability- related 
design  and  performance  criteria  for  each  category  are  discussed 
in  Section  C. 


B.  THE  CAUSES  OF  UNRELIABILITY 

As  can  be  recalled  from  the  "bathtub*  curve  (Section  II, 
“Fundamentals  of  Reliability"),  there  will  be  a  period  of  infant 
mortality,  or  "burn-in"  failures,  followed  by  a  steady  state 
period  of  random  failures,  followed  finally  by  a  period  of 
wearout  failures.  Improving  reliability,  or  in  other  words, 
eliminating  the  causes  of  unreliability,  involves  measures  that 
deal  directly  with  the  characteristics  of  these  three  periods. 
These  characteristics,  together  with  generalized  reliability 
improvement  approaches,  are  discussed  below. 


8.(1)  Infant  Mortality  Failures 

During  the  infant  mortality  period,  failures  due  to  design, 
fabrication,  installation,  etc.,  will  predominate  and  gradually 
taper  off  as  they  ars  weeded-out  during  “de-bugging"  (or, 
“burn-in").  A  prime  function  of  the  design  review  and  testing 
processes  is  to  identify  such  potential  problems  and  correct 
them  before  the  equipment  is  placed  in  service.  If  these 
processes  have  been  thorough,  then  ideally  the  check-out  period 
during  sea  trials  would  serve  to  identify  problems  due  to  the 
overall  operating  environment  which  could  not  have  been 
predicted  or  simulated  earlier. 

In  practice,  of  course,  infant  mortality  failures  are  never 
completely  weeded-out  by  the  end  of  sea  trials.  Based  on  a  data 
evaluation  in  one  study  (Log  $ 07 5  5  ,  infant  mortality  periods  of 
five  months  at  the  ship  level  were  found.  For  automation 
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systems,  periods  of  a  year,  or  longer,  are  not  unusual.  This 
implies  that  failures  due  to  some  specific  cause  can  occur 
month'*  after  the  ship  has  gone  into  service. 

A  point  that  DGVAP  feels  should  be  emphasized  is  that 
systems  as  complex  and  complicated  as  engine  room  automation 
systems  can  never  be  100  percent  "de-bugged . *  in  complex 
computer  installations,  for  example,  DOVAP  i3  aware  of  design 
•bugs*  that  turned  up  over  two  years  after  installation;  such 
"bugs"  usually  require  some  rare,  but  not  abnormal,  set  of 
circumstances  to  trigger  them. 

Infant  mortality,  or  "de-bugging"  failures,  can  produce 
potentialy  serious  effects.  Also,  since  they  result  from 
specific  causes,  they  can  be  expected  to  recur  if  the  failed 
item  is  replaced  with  an  identical  spare.  Based  on  such 
considerations  as  these,  the  identification  of  potential  infant 
mortality  failures  should  receive  more  attention  than  is 
apparently  now  the  case. 

As  indicated  above,  a  prime  function  of  the  design  review 
and  testing  processes  is  to  identify  such  potential  failures. 
There  are,  however,  obviously  no  "cookbook"  approaches  for 
achieving  this.  A  useful  rule-of-thumb  rationale  is  that  a  part 
will  fail  when  its  stress  exceeds  its  strength.  While  this  may 
at  first  sound  simplistic,  identifying  the  stress-strength 
parameters  that  can  lead  to  a  failure  can  be  difficult, 
especially  in  control  equipment  where  "stresses"  are  often  not 
of  the  physical-loading  type.  The  stress-strength  parameters, 
for  instance,  can  involve  time  constants,  electrical  power  or 
voltage  levels,  pneumatic  pressures,  etc.  The  utility  of  th® 
stress- strength  concept  is  that  it  can  provide  a  framework  for 
systematically  identifying  potentially  troublesome  areas  so  that 
they  can  be  further  investigated  and  corrective  actions  taken. 

Another  "aid"  for  sy3temetizing  the  search  for  potential 
infant  mortality  failures  involves  the  use  of  design  review 
checklists  or  guidelines. 

Whatever  means  are  taken  for  identifying  potential  infant 
mortality  failures,  experience  from  similar  hardware  systems 
must  be  drawn  from  heavily.  Also,  since  most  designers  "live 
with"  their  designs  for  quite  some  time,  such  failures  are 
seldom  due  to  gross  errors  or  mistakes.  Identifying  them, 
therefore,  requires  careful  attention  to  subtleties. 


B.(2>  Wearout  Failures 


The  far  end  of  the  bathtub  curve  is  characterized  by  an 
increasing  number  of  failures  due  to  wearout.  Theoretically, 

^  \«  1  M  1  an  ^  1  b  A  A  k  V,  ^  4l  W  1  i  M  MB  4bb  r  i.  W  A  M,  *  M  4.  «  MA  f , B  .  1  1  ^  ^  ^  M  4b  W  A  ,  .  *r  /— B  **  b. 
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stage  at  roughly  the  same  time.  In  practice,  system  elements 
with  known  lifetimes,  such  as  mechanical  equipment,  will  (or 
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should  be)  overhauled  or  replaced  before  they  reach  wearout. 

When  not  mistreated,  electronic  parts,  on  the  other  hand,  tend 
to  exhibit  such  long  lifetimes  that  it  is  difficult  to  determine 
when  they  are  approaching  wearout. 

With  an  adequate  overhaul  program  for  such  mechanical  units 
as  pumps  and  motors,  and  with  no  mistreatment  of  electronic 
parts,  the  prime  -candidates  for  wearout  failures  then,  are 
pneumatic,  hydraulic,  and  electro-mechanical  elements  (relays, 
control  valves,  controllers,  switches,  sensors,  actuators, 
etc.).  The  wearout  mechanisms  involved  with  such  parts  include 
long-term  spring  constant  degradation,  contact  surface 
deterioration,  aging  embrittlement  of  materials,  etc. 

While  little  can  be  done  to  preclude  eventual  wearout, 
abnormal  wearout  can  be  prevented.  This  can  be  done  during 
design  by  identifying  and  correcting  mechanisms  that  will  lead 
to  early  wearout  (e.g.,  reducing  friction  through  better  means 
of  lubrication,  using  more  durable  materials,  etc.). 

During  the  operational  phase,  preventative  maintenance 
programs  can  prevent  or  reduce  both  abnormal  and  normal  wearout 
failures  through  refurbishment  or  replacement.  This  is 
discussed  in  Section  XI. 


B . ( 3 )  Steady  State  Failures 

The  center  portion  of  the  bathtub  curve  is  characterized  by 
a  "steady  state"  period  of  random  failures.  These  failures  are 
not  due  to  any  known  cause  (such  as  design  defects,  which 
contribute  to  infant  mortality).  During  the  steady  state 
period,  these  random  failures  are  as  likely  to  occur  during  any 
one  incremental  "slice"  of  time  as  during  any  other.  As  time 
progresses,  the  probability  that  a  random  failure  has  occurred 
will  increase.  In  other  words,  as  more  "slices"  of  time 
accumulate,  the  likelihood  increases  that  a  random  failure  will 
have  occurred. 

An  inherent  characteristic  of  this  steady  state  period  is 
that  it  spans  roughly  the  useful  life  of  the  system.  This  span 
depends  on  the  system,  but  periods  of  ten  years  are  realistic. 

The  reliability  discipline  was  originally  developed  in 
order  to  improve  steady  state  reliability.  In  the  years  since, 
infant  mortality  and  wearout  failures  have  to  some  extent  come 
under  the  purview  of  reliability  on  the  basis  that  "a  failure  is 
a  failure" — whatever  its  cause.  Nevertheless,  the  theory  and 
practice  of  reliability  are  still  primarily  concerned  with  the 
steady  state  period,  and  the  "tools  of  the  trade*  for  improving 
steady  state  reliability  are  highly  developed. 

As  can  be  recalled  from  Section  II  (Fundamentals  of 
Reliability),  steady  state  numerical  reliability  is  determined 


by  the  expression: 


-Xt 

R  -  e  where: 

R,  the  numerical  reliability,  is  the 
probability  that  the  equipment  has  NOT 
failed, 

X  is  the  equipment  failure  rate  (or,  the 
reciprocal  of  the  equipment  MTBF )  and, 

t  is  the  time  period  of  interest  in  hours. 

For  complex  systems,  the  system  reliability  is  obtained  by 
properly  combining  the  reliabilities  of  the  individual  system 
elements.  Improving  reliability,  then,  inv  Ives  increasing  the 
probability  that  the  equipment  has  not  failed.  This,  in  turn, 
involves  improving  the  parameters  in  the  reliability  expression. 
There  are  five  basic  approaches  for  accomplishing  this. 

1)  Reducing  the  number  of  parts  is  the  most  straightforward 
approach  to  improving  reliability.  Common  sense  alone  indicates 
that  the  fewer  the  parts,  the  less  chance  of  failure.  Expressed 
in  mathematical  terms,  eliminating  parts  eliminates  their 
failure  rates  from  the  reliability  expression. 

2)  Improving  failure  rates  is  another  means  of  improving 
reliability.  This  can  be  accomplished  in  several  ways.  For 
instance,  a  better  grade  of  parts  can  be  used,  or  parts  can  be 
“da- rated"  to  reduce  operating  streses. 

3 )  Since  time  is  a  major  parameter  in  the  reliability 
expression,  reducing  the  time  factor  will  improve  reliability. 

In  practice,  often  there  is  not  much  that  can  be  done  in  this 
area.  On  occasions,  however,  it  will  be  found  that  operating 
time  can  be  reduced  through  lowered  duty  cycles  or  alternate 
approaches  to  operating  mode, 

4)  Reliability  can  also  be  improved  by  reducing  the  effects  cf 
failures.  Redundancy  is  tie  approach  most  often  utilized  for 
this.  If,  for  instance,  one  particular  "black  box"  is  needed  in 
a  system  but  two  are  provided,  then  the  system  would  not  fail  if 
one  of  these  "black  boxes"  failed.  Redundancy,  however,  can 
introduce  adverse  effects  and  should  not  be  used  as  a  cure-all. 

5)  Finally,  reliability  can  be  improved  through  improved 
preventative  maintenance.  This  has  the  tffect  of  improving  a 
part's  failure  rate  either  by  improving  the  condition  of  the 
part,  or  by  removing  and  replacing  a  degraded  part  before  it 


a. (4 )  System  Downtime 


Regardless  of  the  reliability  improvement  measures  taken, 
system  reliabilities  of  100  percent  (or,  2ero-percent  chance  of 
system  failure)  can  never  be  attained  in  practice.  There  will 
always  be  some  probability,  even  if  it  is  small,  that  a  random 
failure  will  occur.  For  engine  room  automation  systems,  it  is 
prudent  to  minimize  the  downtime  of  the  controls  due  to  such 
failures.  Again,  there  are  five  basic  approaches  for  accom¬ 
plishing  this. 

DReduce  Response  Time  to  a  Failure  Condition:  Restoring  the 
system  to  normal  operation  requires  first  that  the  personnel 
responsible  for  repair  must  respond  to  the  failure  condition. 
This  process  is  often  set  in  motion  by  the  occurrence  of  an 
alarm.  This,  in  turn,  requires  that  adequate  alarms  be  provided 
to  alert  personnel  to  an  abnormal  condition.  Other  means  of 
alerting  personnel  to  the  existence  of  an  abnormal  condition 
include  periodic  inspections  and  review  of  operating  parameters. 

2)  Improve  Hardware  Accessibility:  It  is  a  well-known  concept 
that  the  longer  it  takes  to  access  failed  equipment  for  trou¬ 
bleshooting  and  repair,  the  longer  the  system  will  be  out  of 
service.  Nevertheless,  areas  with  some  type  of  restricted  ac¬ 
cessibility  still  manage  to  sneak  through  the  design  and  layout 
process . 

3)  Reduce  Troubleshooting  Time:  In  complex  systems,  trouble¬ 
shooting  time  can  constitute  a  large  portion  of  the  overall 
downtime.  This  can  occur  even  when  the  technician  is  intimately 
familiar  with  the  system,  and  is  provided  with  the  best  in  the 
way  of  documentation  and  test  equipment.  Any  inadequacy  can 
only  lead  to  longer  troubleshooting  time. 

4)  Reduce  Repair  Time:  In  general,  automation  systems  are 
fairly  straightforward  to  repair  once  troubleshooting  has  been 
completed.  Significant  delays  can  occur,  however,  if  spares  are 
not  readily  available. 

5)  Minimize  System  Restoration  Time:  Complex  systems  in  gen¬ 
eral,  and  complex  automation  systems  in  particular,  are  seldom 
restored  to  service  simply  upon  completion  of  repairs.  Instead, 
check-out  and  sometimes  recalibration  or  alignment  are  re¬ 
quired.  Depending  on  the  particular  system,  these  can  introduce 
additional  delays  in  restoration  time. 


C.  RELIABILITY  DESIGN  AND  PERFORMANCE  CRITERIA 

To  summarize  from  the  above,  reducing  the  probability  of 
failures  and  reducing  their  potential  impact  requires  improved 
reliability  and  reduced  failure  downtime.  Five  basic  approaches 
are  available  for  aceompi ishinq  each  of  these. 


In  identifying  the  reliability-related  design  and  perfor¬ 
mance  criteria,  each  of  these  ten  basic  approaches  was  utilized 
as  a  category  for  the  various  criteria  recommendations.  For 
each  category,  applicable  "case  histories"  are  first  given  by 
case  number.  A  discussion  of  the  category  including  background, 
rationale,  and  recommendations  then  follows. 


C.  <1)  Reliability  Improvement  Categories 
C.  (i)(a)  Reduce  the  Number  of  parts: 

Case  1;  Excessive  Interface  Parts 

On  Ship  A,  an  approach  that  was  frequently  utilized  for 
signals  running  from  one  card  to  another  is  depicted  in  Figure 
X-l.  As  can  be  seen  from  this  figure,  the  output  from  card  1 
comes  from  an  inverter  with  an  input  of  resistor  Rl  and  a 
capacitor  to  ground.  The  signal  goes  to  card  2  where  its  vol¬ 
tage  is  conditioned  by  the  zener  diode  and  resistor  R2  to  +6 
volts. 

Such  signal  conditioning  is  often  required  where  the 
lengths  of  runs  are  quite  'long;  for  instance,  from  one  rack  to 
another,  or  even  long  runs  within  the  same  rack.  In  many  cases, 
however,  this  arangement  v/as  used  where  card  1  was  separated 
from  card  2  by  only  a  matter  of  a  few  inches  within  the  same 
card  rack.  For  such  runs,  the  inverter  on  card  1  should  have 
sufficient  power  to  drive  the  signal  to  card  2  so  that  the  need 
for  the  zener  and  pull-up  resistor  R2  on  card  2  is  questionable. 

Also,  the  need  for  resistor  Rl  and  the  capacitor  to  ground 
on  card  1  between  the  NOR  gate  and  the  inverter  is  questionable. 
Such  an  approach  is  often  used  to  obtain  a  time  delay,  but  it 
was  not  apparent  that  a  time  delay  was  required  in  this 
circuitry. 

Most  of  the  failure  inodes  of  these  parts  cause  loss  of  the 
signal.  That  is,  if  Rl  or  R3  opened,  or  if  the  zener  or  capac¬ 
itor  shorted  to  ground,  the  signal  would  be  lost.  For  the  other 
failure  modes  of  these  parts  (i.e.,  if  R2,  the  zener,  or  the 
capacitor  opened),  loss  of  some  filtering  or  electrostatic  dis¬ 
charge  protection  would  occur. 

Since  this  interface  arrangement  is  used  for  literally 
hundreds  of  signals,  the  three  resistors,  zener  and  capacitor 
roust  be  multiplied  by  a  factor  of  over  100  to  get  the  total 
number  of  parts  involved. 
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Figure  X-2 

Excessive  Signal  Conditioning 


Case  2;  Excessive  Signal  Conditioning: 


On  Ship  C,  a  signal  conditioning  approach  depicted  in 
Figure  X-2  was  repeatedly  utilized.  As  can  be  seen  from  this 
figure,  a  signal  from  a  sensor  is  sent  to  a  setpoint  channel  on 
a  setpoint  printed  circuit  card.  The  function  of  this  setpoint 
channel  is  to  produce  an  output  signal  when  the  signal  from  the 
sensor  reaches  either  its  high  or  low  limit  level.  From  the 
setpoint  channel,  the  signal  goes  to  an  alarm  channel  on  an 
alarm  card.  The  purpose  of  this  alarm  card  is  to  transmit  the 
alarm  signal  to  the  annunciator  equipment  when  the  setpoint 
channel  indicates  that  a  signal  has  reached  the  alarm  level. 

From  the  alarm  channel,  another  signal  goes  to  a  line  re¬ 
ceiver  channel  on  a  line  receiver  card.  From  the  line  receiver 
card,  the  signal  goes  to  control  logic.  Examples  of  such  sig¬ 
nals  would  be  fuel  oil  pressure  high,  lube  oil  pressure  low, 
etc. 


The  need  for  three  channels  to  get  from  a  sensor  to  an 
alarm  and  to  the  control  logic  is  questionable.  The  setpoint 
channel  itself  puts  out  a  logic  level,  i.e.,  the  signal  goes  to 
a  logical  1  condition  when  the  sensor  reaches  the  critical 
point.  When  the  sensor  is  not  at  its  critical  point,  the  output 
of  the  setpoint  channel  is  a  logical  0.  Therefore,  the  logical 
1  and  0  conditions  needed  by  the  control  logic  are  available  at 
the  output  of  the  setpoint  channel. 

Some  portions  of  the  alarm  channel  are  needed  to  allow  the 
alarm  signal  to  be  transmitted  to  the  annunciator  circuitry. 

And  again,  the  logical  1  and  0  conditions  needed  by  the  control 
logic  are  available  at  the  output  of  the  alarm  channel.  The 
line  receiver  is  a  further  repetition  of  this,  e.g.,  logic  lev¬ 
els  are  available  at  its  output. 

Each  one  of  these  "channels"  involves  a  considerable  number 
of  parts.  Also,  this  signal  conditioning  approach  is  used  for 
many  signals.  A  more  reliable  approach  would  be  to  use  the 
setpoint  channel,  send  the  signal  from  the  setpoint  channel  to 
the  alarm  channel  only  for  triggering  the  alarm  annunciator 
system,  and  take  the  logic  levels  either  directly  from  the  set- 
point  channel  or  the  alarm  channel  to  the  control  logic.  This 
would  eliminate  the  line  receiver  channel  and  possibly  part  of 
the  alarm  channel,  with  a  resulting  improvement  in  reliability. 
It  would  also  decrease  the  likelihood  of  some  potentially  cri¬ 
tical  failure  effects  (e.g.,  "false"  trips)  since  most  failures 
in  any  one  of  these  three  "channels"  would  cause  the  signal 
level  to  go  to  either  a  logical  0  or  a  logical  1. 

It  is  possible  that  some  circuit  design  changes  would  be 
required  to  implement  this  alternate  approach,  but  the  resulting 
improved  reliability  would  make  this  effort  worthwhile. 
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Case  3;  Inclusion  of  Unused  Parts: 

On  Ships  A,  B,  and  C,  cases  were  noted  where  "unused"  logic 
circuitry  is  provided.  This  was  usually  to  implement  some  fea¬ 
ture  not  appropriate  or  necessary  for  the  vessel  under  consid¬ 
eration.  For  instance,  one  case  involved  gating  for  status 
checks  of  an  additional  forced  draft  blower,  which  was  not 
provided  on  the  vessel.  Such  provisions  allow  control  system 
flexibility;  i.e.,  the  system  does  not  have  to  be  "tailored"  to 
allow  for  the  specific  number  of  forced  draft  blowers  or  what¬ 
ever.  Nevertheless,  such  logic  elements  can  fail  and  can  have 
serious  failure  effects.  In  the  example  above,  the  circuitry 
had  failure  modes  that  indicated  that  the  blower  had  stopped 
(even  though  it  was  non-existent)  which  in  turn  caused  the 
boiler  to  trip. 


Case  4;  Excessive  Interconnections: 

On  Ship  B,  the  digital  logic  is  implemented  by  using 
printed  circuit  cards  as  “building  blocks."  With  this  ap¬ 
proach,  circuit  elements  on  one  card  must  be  interconnected  with 
circuit  elements  on  other  cards  to  implement  functions  and  sub¬ 
functions.  (The  alternate  approach  is  to  completely  implement 
functions  or  sub-functions  on  one  card).  For  the  burner  master 
logic,  42  cards  were  needed  to  implement  the  function. 

The  problem  with  this  approach  is  the  relatively  high 
failure  rate  associated  with  printed  circuit  card  interconnects. 
Failures  can  occur  due  to  connector  contamination,  connector 
contact  damage,  broken  wiring,  etc.  Such  failures  can  be  in¬ 
termittent  and  very  difficult  to  troubleshoot,  with  the  use  of 
so  many  cards,  trouble  shooting  the  system  can  also  be  diffi¬ 
cult.  In  addition,  this  approach  significantly  increases  life 
cycle  costs  due  to  the  increased  number  of  spares  required  to 
maintain  the  system. 

Discussion : 


Throughout  the  analyses  of  Task  II,  DOVAP  continually  noted  a 
lack  of  awareness  of  the  effects  of  large  numbers  of  parts. 

DOVAP  therefore  feels  it  should  be  emphasized  that  every  part 
has  a  failure  rate  and  the  fewer  the  parts,  the  lower  the  total 
failure  rate. 

There  are  three  basic  approaches  for  reducing  the  number  of 
parts,  viz, 

a)  Alternate  design  approaches, 
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c)  Ascertaining  that  all  parts  are  really  essential. 


Cases  1,  2  and  4  above  i L 1 ust rate  how  the  parts  count  can  be  re¬ 
duced  through  alternate  design  approaches,  i.e.,  in  case  1, 
interfacing  arrangements  could  be  different;  in  case  2,  signal 
conditioning  design  could  be  different.  In  case  4,  logic  imple¬ 
mentation  could  be  different. 

Eliminating  frills  in  order  to  reduce  the  parts  count  is  a 
fruitful  area  for  reliability  improvement.  Case  3  illustrates 
one  example  of  this. 

Ascertaining  that  all  parts  are  really  essential  is  illus¬ 
trated  by  all  four  cases  discussed  above. 

Through  attention  to  such  aspects  as  are  illustrated  in  the 
four  cases  above,  and  through  an  awareness  that  reliability  will 
be  improved  through  reducing  the  number  of  parts,  many  opportu¬ 
nities  for  improved  reliability  will  be  found. 


C.(l)(b)  Reduce  the  Failure  Rate 
Case  5;  Parts  Quality  Level: 

All  systems  analyzed  during  Task  II  utilized  an  extensive 
number  of  commercial  grade  electronic  parts  (integrated  cir¬ 
cuits,  resistors,  etc.).  Many  integrated  circuits  were  of  the 
plastic  type  and  were  not  hermetically  sealed,  and  few  were  of 
the  quality  level  where  burn-in  was  performed  by  the  manufac¬ 
turer.  Also,  one  of  the  systems  utilized  pneumatic  parts  that 
exhibited  few  systematic,  quality  provisions. 


Case  6;  Electrostatic  Discharge  ( ESD  ) : 

There  is  increasing  evidence  that  many  electronic  part 
failures  are  caused  by  electrostatic  discharge.*  A  persistent 
failure  problem  in  Navy  equipment,  for  instance,  was  found  to  be 
due  to  ESD  damage.  The  causes  include  discharges  occurring  when 
the  plastic  packaging  in  which  components  are  shipped  is  opened; 
the  effects  include  ESD  "punching"  through  semiconductor  junc¬ 
tions.  High  humidity  does  not  prevent  ESD. 


*See,  for  instance,  Appendix  A  Log  #034. 


Case  7 i  part  De-Rating: 


None  of  the  manufacturers  of  the  engine  room  automation 
systems  on  Ships  A,  8,  and  C  have  guidelines  regarding  the  ap¬ 
plied  stress  on  electronic  parts,  and  they  do  not  perform  sys¬ 
tematic  stress  analysis.  As  part  of  the  analysis  in  Task  II, 
DOVAP  did  perform  such  stress  analyses  for  selected  electronic 
parts . 

The  sample  of  selected  part  types  represent  approximately 
20  percent  of  the  card  types;  however,  these  are  the  high  usage 
cards  and  represent  approximately  70  percent  of  the  total  parts 
used  in  the  systems.  The  circuit  analysis  performed  on  these 
cards  determined  the  power  stress  ratio,  current  stress  ratio, 
and  junction  temperature  rise.  The  results  of  the  circuit 
analysis,  as  tabulated  below,  indicate  that  the  parts  on  Ship  A 
are  more  heavily  stressed  than  those  on  Ship  B,  and  that  in 
neither  system  are  consistent,  stress  de-rating  criteria 
obvious . 


Current  and  Power  Stress  Ratios 


Ship 

A 

Ship 

B 

Average 

High 

Average 

High 

Transistors 

.63 

.80 

.42 

.46 

Diodes 

.08 

.16 

.05 

.10 

Capacitors 

.32 

.69 

.11 

.20 

Resistors 

.10 

.65 

.03 

.13 

Case  8;  Turbine  Control  Environment: 

Although  not  noted  on  the  systems  evaluated  during  this 
study,  a  firm  specializing  in  the  repair  of  marine  control  sys¬ 
tems  reports  that  one  of  the  major  problem  areas  they  see  in¬ 
volves  environmental  contamination  and  heat.  They  report  that 
turbine  controls,  in  particular,  are  subjected  to  oil,  water, 
and  soot  vapors,  and  severe  swings  in  temperature. 


Case  9;  Boiler  Front  Environment: 

The  severity  of  the  boiler  front  environment,  with  heat, 
vibration,  and  contamination  being  the  main  culprits,  is  well 
known.  Nevertheless,  marine  automation  system  repair  firms 
report  that  components  not  compatible  with  this  environment  are 
not  uncommon.  Examples  include  the  use  of  non-high  temperature 
O-rings,  the  use  of  metal- to-raetal  contacts  with  a  propensity 
for  contain! nation  problems,  and  the  use  of  reed- relays  that  are 
prone  to  "chattering."  Also,  cases  are  reported  where  ventila¬ 
tion  is  not  adequately  directed  to  the  boiler  front  area. 


Case  10;  Sensor  Environment: 


A  firm  specializing  in  the  repair  of  marine  control  sys¬ 
tems  reports  that  many  of  the  problems  it  deals  with  stem  from 
sensor  installation.  Shock  and  vibration  are  significant  con¬ 
tributing  factors.  Electronic  sensors,  such  as  process  trans¬ 
mitters,  are  particularly  subject  to  vibration- induced  degrada¬ 
tion  and  failure,  and  should  be  located  in  vibration-free  areas. 
Also,  sensors  on  pump  discharge  lines  can  experience  high  shock 
and  vibration  levels,  and  should  be  mounted  on  some  type  of 
shock  absorber. 


Case  11;  Use  of  Reed  Switches/Relays  in  Field  Environments: 

Reed  relays  and  switches,  in  general,  exhibit  a  high  fail¬ 
ure  rate  due  to  the  effects  of  vibration  and  should  not  be  used 
in  field  applications.  An  example  of  the  misuse  of  these  de¬ 
vices  occurs  on  Ship  B,  where  they  are  used  on  the  main  and 
auxiliary  condenser  for  high  level  indications. 


Case  12;  Part  Types: 

On  Ship  A,  the  overall  approach  to  the  engine  room  automa¬ 
tion  system  is  a  hybrid  system  consisting  of  digital  logic  and 
pneumatic  controls.  On  Ships  B  and  C,  the  overall  approach  is  a 
hybrid  system  consisting  of  digital  logic  and  analog  control 
Loops.  In  general,  for  the  two  steam  vessels,  where  pneumatic 
control  loops  are  used  on  Ship  A,  analog  control  loops  are  used 
on  Ship  B.  This  includes  feedback  loops  for  steam  pressure 
control,  fuel  oil  flow  control,  etc. 

Discussion: 

One  of  the  most  fruitful  approaches  for  improving  relia¬ 
bility  is  to  improve  part  failure  rates.  This  can  be  done  in 
four  basic  ways: 

a)  Use  higher  quality  level  parts, 

b)  De-rate  parts, 

c)  Improve  the  operating  environment, 

d)  Use  a  different  type  of  part  with  a  better 
failure  rate. 


Case  5  above  illustrates  how  failure  rates  could  be  improved 
through  use  of  higher  quality  level  parts.  Data  from 
MIL-Handbook  217  indicates  that  failure  rates  for  commercial 
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of  top  level  military  parts.  This  occurs  because  the  higher  the 
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quality  level  of  the  part,  the  more  effort  the  manuf acturer  has 
put  into  assuring  that  defective  and  potentially  defective  parts 
are  weeded  out  before  they  are  delivered.  This  is  primarily 
accomplished  through  the  use  of  better  materials,  more  stringent 
quality  control  during  the  manufacture  of  the  part,  and  through 
burn-in  and  testing  to  screen  out  infant  mortality  failures  and 
"weak"  parts.  Such  measures  increase  the  cost  of  the  parts  but 
ensure  higher  reliability. 

In  general,  for  electronic  piece  parts  such  as  transis¬ 
tors,  resistors,  and  so  forth,  there  are  four  or  five  quality 
levels.  The  first  level  is  the  comnserical  grade,  and  these 
parts  utilize  inexpensive  materials,  and  are  usually  sold  just 
as  they  come  off  the  assembly  line.  The  next  quality  level 
involves  some  part  testing  and  some  improvement  in  the  materials 
and  processes  used.  Subsequent  quality  levels  involve  more  and 
more  quality  assurance  provisions  by  the  manufacturer  of  the 
part.  The  highest  quality  level,  i.e.,  parts  with  what  is 
called  "established  reliability,"  are  quite  expensive  and  are 
warranted  only  on  special  military  programs  for  such  "one-shot" 
devices  as  missile  systems.  However,  the  intermediate  quality 
levels  are  less  expensive  and  produce  significant  increases  in 
system  reliability. 

Another  quality  provision  that  can  increase  system  relia¬ 
bility  involves  "weeding  out"  weak  hardware  above  the  piece-part 
level.  Printed  circuit  cards,  for  instance,  almost  always  un¬ 
dergo  a  functional  check  before  they  leave  the  manufacturer. 

This  check  is  essentially  of  the  "go-no-go"  variety,  and  is 
generally  performed  on  all  cards.  In  commercial  practice,  usu¬ 
ally  only  a  sampling,  if  any,  cards  undergo  further  burn-in  and 
screening.  If  ALL  cards  were  subjected  to  burn-in,  those  with 
weaknesses  or  marginal  characteristics  exhibited  only  in  circuit 
operation  would  be  screened  out  before  they  had  the  chance  to 
fail  in  service. 

Another  area  that  comes  under  the  general  heading  of  qual¬ 
ity  provisions  involves  protecting  electronic  piece-parts  from 
electrostatic  discharge  damage,  as  indicated  in  Case  6.  The 
document  referenced  in  Log  #034  provides  an  excellent  discussion 
on  the  causes,  effects,  and  prevention  of  ESD.  To  summarize 
briefly  from  that  paper,  ESD  protection  involves  a  two-fold 
approach  that  (1)  minimizes  the  use  of  highly  ESD-sensitive 
devices,  and  (2)  places  requirements  on  the  manner  in  which 
parts  are  packaged  and  handled  in  order  to  preclude  electrosta¬ 
tic  discharge. 

As  indicated  in  case  7  above,  it  was  found  that  little  was 
done  in  the  way  of  systematically  de-rating  parts.  This 
de-rating  involves  parameters  unique  to  each  part;  for  instance, 
with  transistors  the  major  parameter  is  the  power  carried  by  the 
transistor,  and  de-rating  involves  insuring  that  the  part  car¬ 
ries  only  some  percentage  of  the  rated  value  of  the  parameter. 
These  parameters  have  been  found  to  be  associated  with  the 
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failure  rate  in  that  the  more  tne  appropriate  parameter  is 
de-rafced,  the  better  the  failure  rate  of  the  part. 

Most  formal  reliability  programs  require  that  electronic 
parts  be  de- rated  at  least  30  percent,  and  in  some  cases,  over 
50  percent  is  required.  Wnile  de-rating  cannot  achieve  the 
dramatic  failure  rate  improvements  that  can  be  achieved  through 
the  use  of  better  quality  parts,  it  can  reduce  failure  rates  by 
a  half  or  over. 

As  indicated  in  case  12  above,  systems  can  be  based  on 
various  design  approaches  and  hybrid  arrangements.  In  selecting 
the  design  approach,  reliability  can  be  improved  by  selecting 
the  type  of  hybridization  that  will  yield  the  best  failure 
rates.  For  instance,  failure  rates  of  pneumatic  components  are 
quite  high  and  can  be  over  an  order  of  magnitude  higher  than 
those  for  analog  circuitry  performing  the  same  control  function. 
Similarly,  analog  circuitry  has  somewhat  higher,  i.e.,  ^orse, 
failure  rates  than  those  for  digital  circuitry,  but  this  can  be 
offset  by  extensive  use  of  digital  circuits.  That  is,  if  a 
function  can  be  performed  by  analog  or  digital  circuitry,  the 
digital  circuitry  may  require  many  more  parts  because  of  the 
need  for  extensive  gating,  flip-flops,  etc. 

Failure  rates  can  also  be  improved  through  improvements  in 
the  operating  environment.  There  are  some  facets  of  the  oper¬ 
ating  environment  that  cannot  be  changed,  of  course,  such  as  the 
high  humidity  levels  that  shipboard  installations  will  always  be 
subjected  to.  Some  facets  of  the  operating  environment  are 
quite  amenable  to  improvement  however. 

For  instance,  the  effects  cf  shipboard  vibration  can  be 
reduced  by  mounting  equipment  racks  on  resilient  shock/vibration 
absorbers.  The  effect  of  temperature  on  part3  can  cause  the 
failure  rate  to  vary  by  factors  of  2  or  3 .  Therefore,  if  the 
operating  temperature  can  be  lowered — for  instance,  through 
placing  the  system  in  an  air-conditioned  room — failure  rates  can 
likewise  be  improved.  The  use  of  fans  and  heat  sinks  can  also 
improve  the  operating  temperature  of  a  part. 

Where  facets  of  the  operating  environment  cannot  be  im¬ 
proved,  measures  can  often  be  taken  to  improve  the  hardware’s 
” resistance"  to  these  facets.  Such  measures  would  include  en¬ 
suring  the  compatibility  of  mating  materials,  using  high  tem¬ 
perature-tolerant  components  in  hot  locations,  etc.  Cases  8 
through  11  illustrate  situations  where  component  resistance  to 
various  environmental  facets  can  be  improved. 
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C*<l)<c)  Reduce  Operating  Time  Factors 
Discussion: 

No  cases  were  found  in  the  analysis  where  operating  time 
factors  could  be  reduced.  However,  it  can  be  recalled  that 
reliability  is  expressed  as  R=e“*-t,  Therefore,  if  operating 
time  factors  can  be  reduced,  reliability  will  be  increased. 

This  can  sometimes  by  accomplished  through  lowering  the  duty 
cycle.  For  instance,  circuitry  that  does  not  have  to  be  on 
could  be  switched  off,  although  if  this  is  done,  the  means  of 
switching  should  be  highly  reliable  to  ensure  that  the  circuitry 
will  indeed  switch  back  on  when  desired. 

Another  way  of  reducing  operating  time  is  by  alternate 
approaches  to  the  operating  mode.  This  can  sometimes  be  accom¬ 
plish  fed  during  the  design  stage  by  considering  operating  mode 
possibilities  and  selecting  the  one  C s 5  that  allow  operating  time, 
on  certain  portions  of  the  system  to  be  reduced. 


C.  ( 1 } Cd )  Reduce  the  Effects  of  Failure 
Case  1'3;  Filter  Capacitor  Failure  Modes: 

On  Ships  A,  B,  and  C,  each  printed  circuit  card  has  one  or 
more  filter  capacitors  between  each  of  the  card's  power  inputs 
and  ground.  On  Ship  B,  the  arrangement  is  one  filter  capacitor 
per  power  input  per  card.  On  Ship  A,  eacn  power  input  nas  from 
four  to  eight  filter  capacitors  in  parallel  (circuit-wise).  On 
Ship  C,  from  five  to,  in  some  cases,  thirty  filter  capacitors  in 
parallel  are  provided. 

If  any  of  these  capacitors  failed  open,  the  card  would  be 
more  susceptible  to  EMI  from  transients  on  the  power  line.  If 
any  capacitor  failed  short,  however,  the  power  line  to  ALL  cards 
would  be  shorted  directly  to  ground.  This  short  would  proabably 
be  removed  very  quickly  since  the  capacitor  would,  in  all  like¬ 
lihood,  burn  open  due  to  the  load  it  had  to  carry  during 
this  short  circuit  condition.  Nevertheless,  the  short  would 
keep  the  power  supply  shorted  to  ground  long  enough  to  cause 
trips  throughout  the  system. 

From  available  data  on  capacitor  failure  mode  ratios,  there 
is  a  greater  likelihood  of  a  capacitor  short  than  a  capacitor 
open.  For  some  electrolytic  capacitors,  such  as  those  typically 
used  for  filtering,  the  failure  mode  ratios  are  about  70  per¬ 
cent  for  shorts  and  30  percent  for  opens.  For  a  system  with  100 
printed  circuit  cards,  which  is  not  an  especially  large  system, 
there  would  be  az  least  100  capacitors,  implying  a  non- trivial 
probability  of  at  least  one  of  them  shorting.  If,  as  on  Ships  A 
or  C,  there  are  five,  ten,  or  more  of  these  capacitors  pei  card, 
this  probability  increases  dramatically.  Over  a  one-year 


capacitors  indicate  over  a  50  percent  chance  of  one  of  them 
shorting. 

These  capacitors  should  be  connected  in  series  pairs  so 
that  a  single  capacitor  short  would  not  ground  the  power  line. 
Figure  X-3  indicates  this  arrangement.  This  “fail  safe"  ap¬ 
proach  would  require  much  -larger  capacitors  since  series  capac¬ 
itance  is  an  inverse  sum,  and  this  could  create  packaging  pro¬ 
blems.  Nevertheless,  the  alternative  of  a  high  likelihood  of  a 
shorted  power  supply  makes  the  trade-off  worthwhile. 


Case  14;  Puel/Air  Changes  on  Steam  Demand  Changes: 

On  both  steam  vessels  evaluated,  the  design  is  such  that  on 
an  increase  in  steam  demand,  the  increase  in  combustion  air 
always  leads  the  increase  in  fuel  oil.  Likewise,  on  a  decrease 
in  steam  demand,  the  decrease  in  fuel  oil  always  leads  the  de¬ 
crease  in  air.  This  prevents  excess  fuel  oil  and  the  possibil¬ 
ity  of  an  explosion.  However,  certain  failure  modes  were  iden¬ 
tified  where  the  change  in  fuel  or  air  would  occur  in  an  oppo¬ 
site  sequence,  thus  negating  the  explosion  protection  features 
of  the  design.  Further,  no  alarms  are  provided  that  would  alert 
the  crew  to  this  situation  if  any  of  these  failure  modes 
occurred. 


Case  15;  Relay  Arc  Suppression  Diodes: 

On  all  three  ships,  cases  were  noted  where  the  arc  sup¬ 
pression  diode  across  a  relay  coil  consisted  of  a  single  diode, 
as  shown  in  Figure  X-4.  If  this  diode  shorted,  it  would  short 
out  the  relay  coil.  If  the  diode  opened,  arc  suppression  would 
be  lost  but  this  would  not  necessarily  cause  the  relay  to  fail. 
A  more  reliable  arrangement  would  be  to  use  two  arc  suppression 
diodes  in  series,  as  shown  in  the  figure.  With  this  arrange¬ 
ment,  if  one  diode  shorted,  the  relay  would  still  remain  oper¬ 
able. 


Case  15;  Power  Supply  Redundancy: 

Although  the  systems  evaluated  during  this  study  had  pro¬ 
visions  for  back-up  power,  marine  automation  system  repair  firms 
indicate  that  this  is  not  always  the  case.  The  power  supplies 
in  question  are  those  that  convert  ship's  power  to  the  specific 
voltages,  usually  D.C.,  required  in  the  control  cabinet. 

If  only  one  power  supply  is  provided,  its  failure  would 
cause  loss  of  all  automatic  control  functions.  Since  control 
system  components  will  be  switching  and  changing  states  more 
frequently  during  maneuvering,  the  load  on  the  power  supply  will 
be  greatest  during  that  operational  mode.  Phis  implies  that  a 
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power  supply  would  be  somewhat  more  likely  to  fail  during  the 
stresses  of  the  maneuver  mode  than  during  other,  more  benign, 
modes. 

Due  to  the  above  risks,  redundant  power  supplies  should 
always  bo  provided  and  automatic  switching  from  the  failed  to 
the  back-up  unit  should  be  available.  Such  redundancy  is  very 
easy  to  implement. 


Case  17;  Common  cause  Failures: 

The  possibility  of  "common  cause"  failures  did  not  appear 
to  have  been  considered  in  any  of  the  three  sy terns  evaluated. 
Common  cause  failures  are  those  where  more  than  one  failure  mode 
can  be  caused  by  a  single  failure.  An  example  of  a  common  cause 
failure  would  be  an  integrated  circuit  composed  of  several 
gates,  with  each  gate  being  used  in  a  different  function.  If 
the  integrated  circuit  chip  should  crack  or  its  power  input 
short,  all  its  gates  would  fail. 

On  Ship  B,  such  a  common  cause  failure  was  found  possible. 
That  is,  each  of  three  individual  circuits  on  one  integrated 
circuit  were  used  in  different  functions,  viz,  ignitor,  burner 
valve,  and  air  register  control. 


Case  18;  Single  Point  Failures: 

The  term  "single  point  failure"  is  reliability  jargon  for  a 
single  failure  that  causes  some  catastrophic  or  highly  critical 
event.  In  all  three  systems  evaluated,  single  point  failures 
were  identifed.  These  ranged  from  single  failures  that  would 
cause  false  trips  and  single  failures  that  would  prevent  a 
burner  valve  from  closing  in  event  of  a  boiler  safety  trip,  to 
single  point  failures  that  would  cause  an  uncommanded  vessel 
speed  increase. 


Case  19;  Sensor  Redundancy: 

All  of  the  systems  evaluated  utilized  single  sensors  (i.e., 
non-redundant ) .  Since  the  most  prevalent  sensor  failure  mode  is 
loss  of  output,  if  any  of  these  non-redundant  sensors  failed, 
their  associated  alarm  would  be  lost  and  any  control  sequencing 
circuitry  they  were  used  in  would  malfunction.  Protection 
against  such  failure  consequences  could  be  provided  in  a 
straightf oward  manner  through  the  use  of  dual,  redundant  sen¬ 
sors  . 
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Case  20;  Effects  of  Redundancy: 

On  all  three  vessels,  the  analysis  indicated  that  redun¬ 
dancy  was  incorporated  to  ensure  that  trips  occurred  when  trip 
conditions  existed.  The  redundancy  criteria  applied  in  these 
cases  is  to  ensure  that  the  crucial  event  occurs,  e.g.,  that  the 
trip  does  o<jcur.  This  is,  of  course,  a  valid  criteria.  On  the 
other  hand,  such  redundancy  approximately  doubles  the  number  of 
failure  modes  that  can  cause  a  false  event;  in  this  example,  a 
false  trip.  In  other  words,  each  redundant,  protective  item  can 
generate  false  protection. 


Case  21?  Control  Failure  Due  to  Problems  in  External 
Environment: 

The  sister  ship  of  Vessel  B  experienced  a  total  failure  of 
the  control  system  when  a  water  pipe  above  the  control  room 
burst  and  flooded  the  controls.  During  the  design  and  con¬ 
struction  of  the  control  room,  consideration  must  be  given  to 
the  possibility  of  problems  from  all  external  environments, 
including  the  possibility  of  flooding  from  overhead  pipes. 


Case  22;  Use  of  a  Single  Sensor  for  Multiple  Purposes: 

On  Ship  B,  there  is  one  steam  pressure  sensor  for  each 
boiler,  and  the  low  pressure  alarm  for  each  boiler  is  tied  di¬ 
rectly  to  its  respective  sensor.  The  outputs  from  both  sensors 
go  to  high  level  select  logic,  where  the  higher  of  the  outputs 
is  passed  on  to  all  of  the  following: 

a)  Steam  pressure  master  control  logic 

b)  Throttle  control  malfunction  proportional 
control  logic 

c)  Throttle  control  trip  logic 

d)  Steam  dump  logic 

If  one  of  these  sensors  failed  high,  it  would  rause  no 
alarm  because  only  steam  pressure  low  alarms  are  provided. 

Also,  the  capability  would  be  lost  for  turbine  trip  or  turbine 
cutback  via  the  malfunction  proportional  control  for  a  steam 
pressure  low  condition.  More  significantly,  the  following  chain 
of  events  would  occur: 

a)  A  high  signal  would  be  sent  to  the  steam 
dump  controller,  and  would  activate  the  steam 
dump  system. 

b)  A  high  signal  would  be  sent  to  the  master 
demand  controller,  and  steam  production  would  be 
cutback . 

c)  There  would  be  a  sudden  decrease  In  steam  with 
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no  turbine  cutback  from  the  malfunction  propor¬ 
tional  control  logic  and  no  turbine  trip. 

d)  Eventually,  a  steam  pressure  low  alarm  would  occur, 
but  in  the  interim  there  would  be  a  tremendous  steam 
inbalance,  and  a  good  possibility  of  loss  of  other 
steam  dependent  systems. 


Case  23 f  Instantaneous  Handpump  Backup: 

A  manual  handpump  is  provided  as  a  back-up  for  the  primary 
throttle  controls  on  both  Ships  A  and  B.  This  handpump  should 
be  instantaneously  usable  because  of  the  possibility  of  colli¬ 
sion  if  loss  of  the  throttle  control  occurs.  The  handpump 
evaluated  in  this  study,  however,  requires  a  minimum  of  20 
strokes  before  it  can  activate  the  steam  valves,  and  this  time 
could  be  very  critical.  An  instantaneous  back-up  should  be 
considered  such  as  an  air  pump  using  an  accumulator. 

Discussion: 

In  general,  there  are  three  ways  to  reduce  the  effects  of  a 
failure: 


a )  Redundancy 

b)  Alternate  Design 

c)  Detect  Impending  Failures 

Cases  13,  15,  16,  19,  22,  and  23  above  indicate  where  re¬ 
dundancy  could  be  utilized  to  reduce  the  effects  of  failure.  In 
case  13,  the  redundancy  involves  capacitors  in  series  to  protect 
against  a  shorted  capacitor.  Likewise,  using  two  diodes  across 
the  relay  coil  in  case  15  above  involves  redundancy  protection 
against  a  shorted  diode.  In  case  16,  power  supply  redundancy  is 
recommended  to  prevent  loss  of  control  power,  and  in  cases  19 
and  22  redundant  sensors  are  advised  to  preclude  loss  of  the 
sensor  signal.  In  case  23,  an  instantaneous  back-up  to  the 
handpump  would  be  beneficial. 

The  effects  of  redundancy,  however,  can  also  introduce 
problems,  as  indicated  in  case  20  above.  Therefore,  in  imple¬ 
menting  redundancy,  trade-offs  regarding  which  failure  inodes  to 
protect  against  must  be  evaluated.  In  protective  circuitry, 
redundancy  approximately  doubles  the  number  of  failure  modes 
that  can  cause  a  "false"  protective  event.  The  additional  parts 
in  any  redundancy  approximately  doubles  the  overall  failure 
rate.  Also,  it  is  difficult,  if  not  impossible  in  some  cases, 
to  determine  when  a  failure  has  occurred  in  a  redundant  circuit. 
That  is,  as  long  as  one  redundant  counterpart  is  non- failed,  the 
equipment  would  perform  as  required  in  either  a  test  or  actual 
situation,  and  it  would  not  be  known  whether  one  or  both  of  the 
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redundant  circuits  were  operable. 

Another  means  of  reducing  the  effects  of  a  failure  is  to 
utilize  alternate  design  approaches  which  eliminate  the  unde¬ 
sirable  failure  effect.  Case  2  above  which  discussed  alternate 
approaches  to  signal  conditioning  by  eliminating  the  line  re¬ 
ceivers  would  involve  such  approaches.  In  this  case,  eliminat¬ 
ing  the  line  receiver  would  also  eliminate  its  failures  and 
therefore,  its  failure  effects.  In  case  14,  an  alternate  design 
approach  could  be  derived  to  eliminate  the  possibility  of  fuel 
oil  leading  combustion  air  under  certain  failure  conditions. 
Likewise,  case  21  illustrates  how  alternate  design  approaches 
can  preclude  problems  from  external  sources. 

In  cases  17  and  18  above,  common  cause  and  single  point 
failures  are  illustrated.  Some,  but  not  all,  common  cause 
failures  are  also  single  point  failures.  This  occurs  because  of 
the  multiple  failure  modes  resulting  from  common  cause  failures. 
That  is,  with  multiple  failure  modes  there  is  increased  likeli¬ 
hood  that  at  least  one  will  be  critical.  Al-.o ,  there  is  a  good 
chance  that  the  multiple  failure  modes  will  be  more  critical  in 
combination  than  any  one  failure  mode  would  have  been  singly. 

# 

The  standard  approach  to  protecting  against  single  point 
failures  usually  involves  redundancy.  Protection  against  common 
cause  failures  is  sometimes  provided  through  redundancy  and 
sometimes  through  alternate  design  and  implementation  ap¬ 
proaches.  In  determining  which  protective  approach  should  be 
taken  for  either  single  point  or  common  cause  failures,  the 
trade-offs  between  redundancy  vs.  alternate  design  approaches 
should  be  weighed,  especially  in  view  of  the  potential  disad¬ 
vantages  cited  above  for  redundancy. 

The  effects  of  failure  can  also  be  reduced  through  detect¬ 
ing  impending  failures.  That  is,  if  by  some  means  it  is  known 
that  a  part  is  going  to  fail,  removing  it  and  replacing  it  with 
a  good  part  precludes  the  possibility  that  the  impending  failure 
would  have  occurred.  This  is  discussed  in  the  maintenance 
analysis  criteria  in  Section  XI. 


C.(l)(e)  Provide  Improved  Preventative  Maintenance 
Discussion : 

Reliability  can  be  improved  through  preventative  mainte¬ 
nance  by  detecting  impending  failures,  as  noted  above,  and  by 
refurbishing  parts  to  improve  their  condition.  This  is  discus¬ 
sed  in  Section  XI. 


C.(2)  Downtime  Reduction  categories 

C.(2)(a)  Reduce  Response  Time  to  a  Failure  Condition 

Case  24;  Alarm/ Indicator  Provisions: 

In  all  systems  evaluated,  considerable  attention  had  been 
devoted  to  providing  adequate  alarms,  gauges,  and  visual  indi¬ 
cations.  Cases  were  still  found,  however,  where  possible  ab¬ 
normal  conditions  were  not  "alarmed."  On  Ship  A,  for  instance, 
there  is  a  steam  temperature  high  alarm  but  no  steam  temperature 
low  alarm.  A  steam  temperature  gauge  is  provided.  Neither  Ship 
A  nor  Ship  B  has  an  alarm  for  high  steam  pressure.  On  Ship  B, 
there  is  no  annunciator  for  ignitor  extended. 


Case  25;  Sensor  to  Alarm  Circuit  Path: 

On  Ship  B,  most  alarm  circuits  are  tied  directly  to  the 
initiating  sensor.  Thus,  if  a  failure  occurs  in  circuitry  used 
for  a  control  function,  and  therefore,  not  in  the  "sensor  to 
alarm  path,"  no  alarm  will  occur. 


Case  26;  Boiler  Trip  Annunciators: 

On  Ships  A  and  B,  annunciators  are  provided  for  boiler  trip 
conditions,  and  indicate  the  reason  for  the  trip.  The  reason 
indicated,  however,  does  not  necessarily  include  trips  caused  by 
the  control  system.  Trips,  and  their  associated  alarms  occur, 
for  instance,  due  to  low  drum  level,  loss  of  combustion  air, 
etc.  Thus  if  one  of  these  conditions  actually  occurs,  or  ap¬ 
pears  to  have  occurred  due  to  a  control  system  failure,  the 
alarm  will  sound.  If  the  control  system  fails  and  causes  a 
trip,  but  not  a  trip  "covered"  by  the  alarmed  trip  conditions, 
no  alarm  will  sound. 


Case  27;  Position  Feedback  Sensors: 

On  all  three  systems  evaluated  during  this  study,  and  on 
another  system  (as  reported  by  a  marine  control  system  repair 
firm),  there  are  cases  where  a  feedback  position  sensor  does  not 
sense  the  required  position  directly.  That  is,  rather  than 
sensing  the  actual  position  of  a  valve  or  actuator,  the 
"element"  sensed  is  a  control  linkage  or  servo  signal.  This 
would  cause  no  problem  as  long  as  no  failures  occurred.  How¬ 
ever,  if  a  failure  occurred  beyond  the  sensor's  "purview,"  for 
instance,  in  the  actual  actuating  device,  the  control  loop  would 
behave  as  though  no  failure  had  occurred,  and  no  annunciator 
signal  would  be  generated. 
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Case  28;  Critical  Alarms  Activated  by  Trip  Logic  Rather  Than 
the  Opening  Or  Closing  of  the  Valves  or  Actuators; 

On  Ship  B,  the  fuel  oil  trip  valve  closed  alarm  is  set  off 
by  the  trip  :circuitry.  However,  a  substantial  amount  of  cir¬ 
cuitry  that  is  not  a  part  of  the  trip  circuitry  would  close  the 
valve  if  it  failed.  Also  failure  of  the  valve  actuators  or  the 
valve  itself  could  cause  a  valve  to  close.  None  of  these  con¬ 
ditions  would  alert  the  crew  that  the  fuel  oil  trip  valve  had 
closed. 


Case  29;  Inadequate  Alarms: 

The  number  and  types  of  alarms  were  found  to  vary  from  ship 
to  ship,  however,  there  generally  appears  to  be  inadequate 
coverage  in  the  following  areas: 

High  Steam  Pressure — Although  relief  valves  and  the  steam 
dump  would  prevent  a  catastrophic  problem  if  high  steam  pressure 
developed,  it  would  have  been  caused  by  a  failure  in  the  steam 
generation  or  combustion  control  system  which  produces  high 
steam  pressure  and  action  should  be  taken. 

Steam  Dump — Activation  of  the  steam  dump  should  be  alarmed 
for  two  reasons,  first  as  redundancy  to  the  high  steam  pressure 
alarm.  Second,  if  the  steam  dump  should  inadvertently  activate, 
a  low  steam  condition  would  occur  in  a  relatively  short  time. 

Low  Steam  Temperature — Low  steam  temperature  could  cause 
turbine  damage  due  to  wet  steam  .  This  also  indicates  a  failure 
of  the  control  system  for  which  action  should  be  taken. 

Fuel  Oil  Pressure  High —  Fuel  oil  pressure  high  could  cause 
excess  fuel  oil,  and  corrective  action  should  be  taken. 

Ignitor  Extended — On  some  systems,  there  are  no  lights  or 
alarms  to  indicate  that  the  ignitor  is  extended  or  has  not  re¬ 
tracted.  This  could  result  in  significant  burner  management 
problems,  and  should  have,  as  a  minimum,  an  indication  light  and 
preferably,  an  alarm. 

Discussion : 

It  -appears  to  DOVAP  that  alarm/annunciator  provisions  are 
presently  based  on  abnormalities  due  to  factors  outside  the 
control  system.  This  is  certainly  a  valid  approach,  but  abnor¬ 
malities  caused  by  the  control  system  itself  should  also  be 
covered . 

Presently,  control  system  abnormalities  are  indicated  via 
built-in  test  circuitry  (BIT)  on  a  number  of  printed  circuit 
cards  on  all  systems  evaluated.  This  BIT  usually  consists  of 
light-emitting  diodes  that  illuminate  when  certain  control 
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failures  have  occurred.  However,  it  seems  doubtful  that  many 
crew  members  would  be  able  to,  or  want  to,  interpret  these  BIT 
indicators.  Also,  the  indications  are  strictly  visual,  and  are 
not  intended  to  serve  as  an  alerting-f unction. 


C.(2)(b)  Improve  Hardware  Accessibility 
Case  30;  Equipment  Accessibility: 

The  portions  of  control  systems  that  are  located  within 
control  consoles  and  racks  are  almost  universally  easily  acces¬ 
sible.  This  is  not  always  the  case  with  components  remote  from 
the  console,  such  as  sensors,  actuators,  control  valves,  etc. 

For  instance,  on  a  system  not  evaluated  during  this  study,  the 
throttle  trip  valve,  which  dumps  hydraulic  pressure  in  event  of 
a  turbine  trip,  is  located  inside  the  turbine  front  stand.  This 
inaccessibility  make  maintenance  and  repair  of  the  valve  diffi¬ 
cult. 

Discussion: 

The  contribution  of  ease  of  accessibility  to  equipment 
maintenance  is  well-known,  and  most  designs  attempt  to  provide 
adequate  working  space  around  equipment.  This  is  not  always 
accomplished,  however,  as  illustrated  in  Case  30  above.  Also,  a 
general  area  that  is  often  neglected  involves  the  procedures 
that  must  be  taken  to  get  inside  the  equipment.  For  instance, 
fasteners  may  be  awkward  to  get  to  or  require  special  tools. 


C.(2Hc)  Reduce  Troubleshooting  Time 

Case  31;  Loss  of  Function  Due  to  Failure  Outside  the  Function: 

On  Ship  A,  it  was  found  that  failures  in  the  purge  control 
circuitry  can  cause  a  false  boiler  shutdown  during  normal  oper¬ 
ation  (i.e.,  when  no  purge  is  taking  place).  This  occurs  be¬ 
cause  the  purge  circuitry  signals  the  master  fuel  oil  valve  to 
close  during  a  purge.  Therefore,  failures  in  this  purge  control 
circuitry  can  falsely  signal  the  master  fuel  oil  valve  to  close 
during  normal  operation; 


Case  32;  Documentation  Status: 

On  Ship  A,  the  operator  had  developed  an  extensive  set  of 
operating  manuals.  These  supplemented  the  detailed  automation 
system  schematics  provided  by  the  automation  system  manufac¬ 
turer.  On  Ships  B  and  C,  the  manufacturers  provided  extensive 
operating  and  schematic  documentation.  On  Ship  c,  the  manufac¬ 
turer  also  provided  troubleshooting  documentation  with  "quick 
look"  diagrams. 
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In  general,  however,  none  of  the  documentation  appeared 
suitable  for  understanding  the  system  without  an  extensive 
learning  process.  Deficiencies  noted  included;  lack  of  defini¬ 
tions  as  to  the  nature  of  the  signals;  lack  of  timing  diagrams 
where  timing  was  an  important  factor;  and  lack  of  adequate  sig¬ 
nal  flow  layouts,  which  made  signal  tracing  difficult. 


Case  33;  Documentation  Not  Current; 

Because  of  the  large  turnover  in  crew  members,  maintenance 
and  operational  documentation  must  be  current.  An  example  was 
observed,  however,  where  the  manufacturer  recommended  that  the 
fuel  oil  pressure  alarm  sound  at  40  psi.  It  was  found  during 
actual  operation  that  the  boilers  would  flame  out  at  40  psi,  so 
the  chief  engineer  then  set  the  alarm  for  45  psi.  However,  the 
manual  still  shows  the  alarm  setting  as  being  40  psi. 


Case  34;  Operating  Instructions  Not  Complete: 

Any  control  system  limitations  should  be  documented  so  that 
crew  members  are  aware  of  what  is  normal  or  abnormal.  As  an 
example,  when  the  throttle  of  Ship  B  is  opened  from  40  percent 
to  full  ahead,  the  low  steam  pressure  alarm  sounds.  The  chief 
engineer  reported  that  this  was  a  normal  occurrence  but  there 
was  no  documentation  stating  that  this  would  occur. 

Discussion; 

Reducing  troubleshooting  time  implies  reducing  the  time 
required  to  locate  the  failure.  This  requires  a  general  know¬ 
ledge  of  possible  failure  effects  and  documentation  that  enables 
one  to  trace  the  function. 

In  case  31  above,  it  could  defy  reasoning  to  even  consider 
the  possibility  that  the  purge  control  card  had  shut  the  master 
fuel  oil  valve.  Yet,  such  obscure  types  of  failures  are  typical 
in  complex  control  systems.  As  discussed  in  the  subsection 
above,  due  to  the  indirect  relationship  of  alarms  to  the  actual 
failures,  the  occurrence  of  an  alarm  can  prove  of  little  use  in 
locating  its  cause. 

As  indicated  in  case  32,  troubleshooting  diagrams  were 
provided  only  on  Ship  C.  These  utilized  a  format  known  as  the 
"quick  look."  That  is,  they  itemize  potential  types  of  fail¬ 
ures,  such  as  "Fuel  Oil  Valve  Incorrectly  Closes,"  then  list  the 
possible  causes  for  this  together  with  any  pertinent  trouble¬ 
shooting  instruction.  Such  troubleshooting  aids  as  this  "quick 
look"  documentation  would  be  a  valuable  asset  for  every  system. 

Another  area  where  improved  documentation  would  be  of  great 
value  involves  better  definitions  for,  and  identifications  of 
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the  logic  signals.  For  instance,  on  one  ship  logic  signals  were 
referred  to  by  such  cryptic  abbreviations  that  it  was  difficult 
to  tell  what  these  signals  were  really  "doing. M  A  general 
ground  rule  for  weli  documented  systems  is  that  the  signals  be 
identified,  their  functions  listed,  and  any  other  pertinent 
information  provided. 

Also,  with  complex  digital  circuitry  as  is  found  in  engine 
room  automation  systems,  logic  equations  are  highly  useful  both 
for  understanding  the  system  and  tracing  signals.  This  is  es¬ 
pecially  the  case  for  NAND-NOR  logic  that  is  usually  used  with 
integrated  circuits  since  logic  relationships  are  not  always 
clear  cut  (Figure  X-5).  Logic  equations  would  indicate  the 
AND-OR  relationships  required  to  produce  the  ultimately  desired 
signal.  These  logic  equations  should  use  well-defined  termi¬ 
nology,  as  just  discussed. 

Another  type  of  documentation  useful  for  gaining  an  under¬ 
standing  of  a  system  and  for  troubleshooting  is  a 
programming- type  flowchart  of  the  logic  flow.  In  such  documen¬ 
tation,  the  basic  requirement  is  stated  in  the  form  of  a  ques¬ 
tion  in  the  top-most  block,  such  as  "Is  purge  needed?"  The  flow 
chart  then  proceeds  exactly  as  a  computer  program  flowchart. 

For  example,  the  block  underneath  the  top-most  block  would  then 
pose  the  question,  "Has  boiler  shutdown?";  if  yes,  then  purge 
would  be  required,  and  so  forth.  This  gives  a  very  good  indi¬ 
cation  of  the  overall  logic  requirements,  and  coupled  with  logic 
equations,  allows  the  detailed  logic  to  be  figured  out  fairly 
quickly. 

As  pointed  out  in  cases  33  and  34,  all  documentation 
should,  of  course,  be  current  and  complete. 

Reducing  troubleshooting  time  also  requires  the  availabil¬ 
ity  of  adequate  test  equipment  and  knowledge  of  how  to  use  it. 

On  the  vessels  evaluated,  it  appeared  that  adequate  test  equip¬ 
ment  had  been  provided  and  that  at  least  one  crew  member  on  each 
vessel  was  knowledgable.  in  its  use.  However,  the  literature 
survey  of  Task  I  indicates  a  general  opinion  that  ships'  crews 
are  not  trained  in  the  use  of  test  equipment.  If  troubleshoot¬ 
ing  consists  of  removing  cards  and  testing  them  in  a  card  test¬ 
er,  there  is  very  little  that  has  to  be  taught  in  the  way  of 
utilizing  the  equipment.  However,  if  troubleshooting  requires 
the  use  of  more  sophisticated  test  equipment  (such  as  oscillo¬ 
scopes),  more  training  could  certainly  be  needed. 


C.(2)(d)  Reduce  Repair  Time 

Case  35;  Spare  Parts  Provisions: 

On  all  three  ships  evaluated,  the  automation  systems  manu¬ 
facturers  originally  recommended  a  complement  of  spares  but 
indicated  that  there  was  little  basis  for  the  recommendations. 


On  all  three  vessels  the  complement  of  spares  was  later  adjusted 
to  more  accurately  reflect  spare  part  usage. 

Discussion; 

Once  troubleshooting  has  identified  the  cause  of  the  pro¬ 
blem,  the  failed  item  must  then  either  be  replaced  or  repaired. 
In  either  case,  spare  parts  will  be  required.  Therefore,  re¬ 
ducing  repair  time  can  be  accomplished  in  three  ways; 

a)  Maintaining  an  adequate  supply  of  spares 

b)  Ensuring  that  the  spares  are  readily  identifiable 
and  accessible 

c)  Optimising  the  ease  of  replacement 

As  a  minimum,  there  should  be  at  least  one  spare  module  for 
each  module  type.  More  spares  should  be  available  for  modules 
with  high  failure  rates.  For  determining  a  "safe"  number  of 
spares,  a  good  rule-of-thumb  is  to  compare  the  module's  MTBF 
with  the  time  required  to  obtain  sho reside  replacements.  For 
instance,  if  it  requires  two  months  (about  1,450  hours)  to  ob¬ 
tain  shoreside  replacements,  and  a  particular  module  had  an  MTBF 
of  about  500  hours,  then  at  least  three  spares  should  be  avail¬ 
able  on-board.  Ideally,  the  MTBF  used  in  making  this 
rule-of-thumb  comparison  should  be  based  on  actual,  in-service 
replacement  data . 

Ensuring  that  spares  are  readily  identifiable  and  acces¬ 
sible  seems  a  straightforward,  obvious  requirement.  Optimizing 
the  ease  of  replacement  also  seems  obvious,  and  is  straight¬ 
forward  where  modular  approaches,  quick  disconnects,  and  the 
like  are  possible. 

Another  requirement,  with  regard  to  spares,  is  that  they  be 
operable  when  called  upon  for  use.  This  is  a  self-evident  re¬ 
quirement  for  restoring  normal  operation  following  a  failure. 
Also,  it  is  likely  that  if  an  engineer  had  correctly  diagnosed  a 
failure,  but  the  spare  was  inoperable,  he  would  doubt  his  diag¬ 
nosis  and  look  elsewhere  for  the  problem. 

On  Ship  A,  a  system  utilized  to  ensure  that  spares  are 
operable  involves  swapping  all  spares  with  their  operating 
counterparts  at  six  month  intervals.  Besides  providing 
assurance  that  the  spare  parts  are  operable,  this  also  keeps 
them  fro®  "lying  around  gathering  dust". 


C.  <2)<e)  Minimize  System  Restoration  Time 
Case  36;  Electronic  Adjustments: 

A  fir®  specializing  in  the  repair  of  marine  control  systems 
reports  that  on  a  particular  turbine  control  system,  a  large 
number  of  electronic  adjustments  cause  confusion  and  allow  in¬ 
dividual  interpretation  of  the  set-up  of  the  system,  (This 
system  was  not  one  of  those  evaluated  during  this  study.) 


Case  37;  Potentiometers: 

On  Ships  A  and  C,  several  printed  circuit  cards  have  po¬ 
tentiometers  which  must  be  set  or  adjusted  to  attain  proper 
delay  times  or  voltage  functions.  The  purpose  of  these  poten¬ 
tiometers  is  to  allow  a  generalized  approach  to  the  printed 
circuit  card,  i.e„,  the  card  can  be  used  on  a  variety  of  vessels 
and  the  voltage  function  or  time  period  "trimmed”  to  suit  the 
particular  vessel.  Apparently,  once  these  potentiometers  are 
set,  they  do  not  need  resetting,  e.g.,  the  time  delay  they  pro¬ 
vide  then  becomes  "set"  for  the  particular  vessel. 

Discussion : 

Minimizing  system  restoration  time  implies  that  once  a 
repair  has  been  effected,  the  system  be  put  back  intc  service  as 
quickly  as  possible.  This,  in  turn,  implies  that  the  need  for 
calibrations,  realignments,  checks,  etc.  be  minimized. 

As  indicated  in  cases  36  and  37  above,  if  a  card  containing 
a  potentiometer  or  some  other  type  of  adjustment  was  replaced, 
the  replacement  card  would  have  to  be  adjusted.  This  could  take 
considerable  effort  of  a  cut-and-try  nature. 

There  are  alternate  ways  of  obtaining  time  delays  and  vol¬ 
tage  functions  that  would  not  require  potentiometers  or  adjust¬ 
ments  on  the  printed  circuit  cards.  If  some  setting  is  neces¬ 
sary,  it  should  be  provided  through  some  positive  means,  pre¬ 
ferably  on  a  console  face  (for  instance,  a  knob  with  a  cali¬ 
brated  escutcheon). 


XI.  MAINTENANCE  ANALYSIS 


A.  BACKGROUND  AND  HISTORICAL  DATA 

The  effect  of  maintenance  on  commercial  vessel  equipment 
availability  or  reliability  is  difficult  to  determine  from  the 
historical  data.  During  Task  I,  no  documents  were  found  that 
quantitatively  evaluated  5/uch  effects.  The  literature  did  de¬ 
scribe  preventative  maintenance  test  programs  for  two  ships,  the 
Sugar  Islander  and  the  Lash  Turkite.  The  report  states  that 
there  was  a  reduction  of  out-of- service  periods  and  breakdowns, 
but  no  quantitative  values  were  given. 

One  relevant  document  on  this  subject  is  an  electrical 
power  industry  report  entitled,  "A  Comparative  Analysis  of  PWR 
Nuclear  Plants.**  This  report  evaluates  the  effects  that  de¬ 
tailed  maintenance  plans  have  on  the  availability  of  nuclear 
reactor  plants.  The  maintenance  engineering  approach  which  is 
described  stresses  classical  reliability  and  maintainability 
engineering  principles.  The  paper  also  points  out  the  necessity 
of  a  detailed  data  base  to  identify  problem  areas  in  which  im¬ 
provements  can  be  made  to  achieve  higher  levels  of  reliability 
and  availability.  The  conclusion  of  this  paper  is  that  the 
current  availability  of  Westinghouse  domestic  plants  is  approx¬ 
imately  74  percent,  and  that  the  target  with  the  detailed  main¬ 
tainability  engineering  approach  is  an  8  to  9  percent  improve¬ 
ment  . 


The  Navy’s  approach  to  maintenance  planning  and  procedures 
is  described  in  a  document  entitled  "Engineered  Marine  System 
Maintenance  Extends  Life  Cycle.***  This  paper  documents  the 
strategy  developed  by  the  Navy  for  insuring  the  operational 
readiness  of  surface  combat  ships,  and  discusses  the  development 
of  engineered  maintenance  programs  for  four  ship  classes.  It 
describes  the  approach  taken  to  identify  and  resolve  reliabil¬ 
ity,  maintainability,  and  logistics  problems  and  to  define, 
document,  and  schedule  significant  maintenance  requirements 
during  the  extended  operational  cycle.  A  critical  part  of  the 
engineered  maintenance  cycle  is  the  documentation  of  equipment 
failures  that  reduce  the  capability  of  ship  systems. 


*1981  Proceedings,  Annual  Reliability  and  Maintainability  Sym¬ 
posium,  S.G.  Scaglia,  principal  engineer,  Westinghouse  Water 
Reactor  Division,  Pittsburgh,  PA. 

**1982  Proceedings,  Annual  Reliability  and  Maintainability 
Symposium,  G. A.  Lewis,  ARINC  Research  Corporation,  Annapolis, 
Maryland 


The  results  of  the  Navy's  engineering  maintenance  program  are 
shown  in  Figures  XI-1  and  XI-2.  Figure  XI-1  shows  ship 
availability  measured  as  both  a  function  of  total  time  and 
maintenance  downtime,  including  scheduled  and  unscheduled  main¬ 
tenance.  This  figure  includes  data  on  ships  participating  in 
the  engineered  maintenance  program  as  compared  to  ships  that  are 
not.  The  X  axis  is  time.  At  the  eighth  quarter  after  overhaul, 
there  is  a  4.6  percent  difference  in  availability  between  the 
ships  in  the  program  versus  data  collected  prior  to  the  main¬ 
tenance  engineering  program  <i.e.,  on  ships  not  in  the  program). 
Figure  XI-2  compares  the  reported  problems  of  ships  both  before 
and  after  participating  in  the  maintenance  engineering  effort. 
The  plotted  lines,  which  are  normalized  to  the  ship's  operating 
time,  reflect  a  27  percent  improvement  in  the  ships  that  have 
undergone  the  engineered  maintenance  effort. 

The  Nuclear  Plant  Reliability  Data  Report  published  by  the 
Southwest  Research  Institute  does  present  quantitative  data  as 
to  the  number  of  failed  parts  found  during  test  and  maintenance. 
This  was  the  basis  for  developing  the  maintenance  reduction 
factors  given  in  Section  VI-B  of  the  report. 

As  indicated  above,  there  is  no  quantitative  data  to  show 
improvements  in  commercial  vessel  reliability  or  availability 
due  to  scheduled  maintenance.  However,  there  is  data  from  other 
sources,  such  as  that  summarized  above,  and  years  of  experience 
in  both  military  and  commercial  applications  that  leave  little 
doubt  as  to  the  benefits  of  scheduled  maintenance. 


B.  LOGISTICS  SUPPORT  ANALYSIS  PROGRAM 

Logistic  support  analyses  have  been  required  on  military 
programs  for  many  years.  The  objective  of  these  analyses  is  to 
ensure  operational  readiness,  or  in  other  words,  an  acceptable 
level  of  equipment  availability.  While  a  military  type  approach 
certainly  does  not  seem  warranted  for  commercial  vessels,  the 
application  of  the  basic  techniques  of  these  support  analyses 
would  improve  equipment  availability.  These  techniques,  and 
their  applicability  to  commercial  vessels,  are  described  below. 


a)  Maintenance  Echelon  Analysis:  This  analysis 
determines  where  maintenance  is  to  be  performed, 
i.e.,  underway,  in  port,  or  during  lay-up  (i.e. 
"depot" ) . 

b)  Maintenance  Task  Analysis:  This  analysis 
identifies  and  defines  maintenance  task 
sequences,  task  times,  and  task  frequencies. 

c)  Test  and  Support  Equipment  Analysis:  In  this 
analysis,  requirements  are  identified  for  on  board 
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equipment,  depot  equipment,  and  back-up 
equipment  such  as  that  which  might  be 
provided  by  technical  representatives. 

d)  Spare  and  Repair  Part  Analysis:  This  analysis 
determines  requirements  for  on-board  spares  at  the 
piece  part,  module,  and  assembly  levels,  depot 
requirements  for  piece  parts,  assemblies,  etc. 
pipe  line  piece  part,  assembly,  etc., 
requirements,  and  parts  available  from  supplies 
and  local  technical  representatives. 

e)  Personnel  and  Training  Analysis:  This  analysis 
evaluates  skills  and  training  requirements  for 
on-board  crew  members,  dry  dock  personnel,  and 
technical  representatives. 

f)  Technical  Data  Analysis:  During  this  evaluation, 
the  adequacy  of  manuals,  schematics,  and  catalogs, 
etc.  is  assessed. 


g)  Transportation  and  Handling  Equipment  Analysis: 

This  analysis  identifies  the  equipment  required  to 
handle  large  assemblies,  and  how  spares  should  be 
packaged  so  that  they  will  not  be  degraded  due  to 
the  effects  of  the  environment  and  transportation. 

h)  Facilities  Analysis:  This  effort  assesses  such 
factors  as  the  space  aboard  the  vessel,  depot 
facilities,  and  supplier  facilities. 

The  usual  approach  when  performing  a  logistics  support 
analysis  is  first  to  define  the  maintenance  concept.  This  con¬ 
cept  provides  the  criteria  for  subsequent  maintenance  analyses, 
and  defines  overall  level3  of  support,  support  policies,  and 
desired  effectiveness  factors,  such  as  availability  and  relia¬ 
bility.  The  maintenance  concept  must  consider  the  total  system 
and  the  environments  in  which  the  system  is  to  operate.  All 
constraints  must  be  defined  at  this  time. 


From  the  maintenance  concept,  a  detailed  maintenance  plan 
is  then  generated.  This  plan  is  the  working  document  from  which 
the  overall  support  requirements  of  the  system  will  be  developd. 
Onco  the  detailed  maintenance  plan  has  been  developed,  logistics 
support  analyses  are  then  performed  on  individual  components  and 
repairable  assemblies.  A  complete  logistics  analysis  is  a  very 
exact  and  time  consuming  process.  Also,  a  great  deal  of  back-up 
data  is  required,  such  as  failure  rates,  corrective  action 
rates,  times  to  repair,  etc..  Nevertheless,  certain  portions  of 
it  could  be  tailored  for  use  on  commercial  vessels. 

Ideally,  each  owner/operator  would  develop  an  individual 
maintenance  concept  and  maintenance  plan.  This  plan  would  be 
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tailored  to  the  equipment  involved  and  the  types  oE  operations 
being  performed.  It  would  define  the  effectiveness  parameters 
which  are  critical  to  operation,  and  indicate  the  means  to  be 
taken  to  maximize  these  parameters.  It  would  then  individually 
evaluate  all  factors,  such  as  spares,  test  equipment,  crew 
training,  facilities,  etc..  A  general  approach  would  be  to 
start  with  system  level  requirements  and  apportion  them  down  to 
subsystems  and  then  to  the  components  and  piece  parts.  The 
analysis  process  would  then  begin  in  the  reverse  direction.  This 
would  be  to  evaluate  the  lowest  level  of  piece  parts  and  gener¬ 
ate  requirements  in  the  areas  of  reliability,  scheduled  mainte¬ 
nance,  and  non- scheduled  maintenance.  This  would  then  be  re¬ 
peated  for  components,  subsystems,  and  then,  systems. 


C.  MAINTENANCE  ANALYSIS  APPROACH 

The  maintenance  analysis  which  was  performed  during  this 
study  on  the  components  of  automation  systems  is  not  a  classical 
analysis  as  compared  to  the  processes  described  above.*  Because 
of  limitations  in  the  scope  of  work  and  the  undefined  mainte¬ 
nance  concept  and  plans,  individual  components  cannot  be  eval¬ 
uated  as  part  of  a  total  integrated  program.  Frequency  and 
depth  of  all  maintenance  actions  in  many  cases  are  subjected  to 
trade-offs;  however,  in  this  study  the  engine  room  maintenance 
cannot  be  optimized  because  only  a  portion  of  the  total  engine 
room  equipment  was  evaluated.  Although  the  automated  controls 
are  a  very  important  aspect  of  the  ship's  machinery,  they  re¬ 
quire  a  relatively  small  portion  of  the  overall  vessels'  pre¬ 
ventative  maintenance  efforts. 


D.  PREVENTATIVE  MAINTENANCE  ANALYSIS 

As  a  subtask  of  Task  III,  an  analysis  was  conducted  to 
evaluate  preventative  maintenance  approaches  and  requirements 
from  the  standpoint  of  their  relationship  to  reliability.  This 
evaluation  covered  2  areas.  First,  the  "state-of-the-art"  of 
preventative  maintenance  practices  were  surveyed.  This  focussed 
on  what  can,  and  cannot,  be  accomplished  through  preventative 
maintenance.  Second,  manufacturers  of  equipment  utilized  in  the 
systems  covered  in  this  study  were  contacted  to  determine  their 
recommended  preventative  maintenance  requirements.  Third, 
preventative  maintenance  practices  and  requirements  were 


*For  this  study  only  the  preventative  maintenance  aspects  of  the 
total  logistic  support  analysis  environment  were  considered. 
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analyzed  to  identify  and  quantify  maintenance-related  impacts  on 
part  failure  rates,  This  information  was  then  utilized  to 
develop  preventative  maintenance  requirements  for  both  steam  and 
diesel  vessels.  These  2  areas  are  discussed  in  the  subsections 
below. 


D.{1)  State-Of-The-Art  Of  Preventative  Maintenance 

At  the  present  time,  control  systems  can  be  implemented  via 
4  basic  technological  approaches.  These  are:  electronics 
(either  digital  or  analog),  electro-mechanical  (relays,  solenoid 
valves,  etc.),  pneumatics,  and  hydraulics.  Most  control  systems 
utilize  some  combination  of  these  basic  approaches.  Improve¬ 
ments  in  the  devices  within  these  categories  will  certainly 
occur  (for  instance,  microprocessors  and  very  large  scale  inte¬ 
grated  circuits — VLSI— will  replace  some  types  of  electronic 
devices  currently  used).  There  is  no  indication,  however,  that 
any  new  type  of  technological  category  will  be  developed  in  the 
foreseeable  future.  Thus,  evaluating  the  state-of-the-art  of 
preventative  maintenance  practices  requires  evaluating  current 
practices  with  each  of  these  approaches. 

In  the  technological  category  of  electronics,  preventative 
maintenance  is  generally  regarded  as  impossible.  That  is,  there 
is  no  way  that  electronic  parts  can  be  refurbished.  Also,  no 
systematic,  accurate  means  exist  for  detecting  impending  fail¬ 
ures  in  electronic  parts,  although  some  electronics  technicians 
maintain  that  degrading  electronic  parts  are  sometimes  hotter 
than  normal  to  the  touch. 

In  the  1950's  and  early  60' s,  a  preventative  maintenance 
practice  commonly  used  in  electronic  systems  involved  marginal 
power  tests.  To  conduct  these  tests,  the  voltage  output  of  the 
power  supply  was  first  increased  and  then  decreased  by  a  slight 
amount  (5%  or  under).  Under  each  condition,  the  system  was  then 
operated  in  a  functional  test  mode,  with  the  premise  being  that 
"weak”  parts  would  not  function  properly  under  marginal  power 
conditions.  This  approach  was  abandoned  with  the  advent  of 
integrated  circuits. 

Today,  the  accepted  approach  to  "preventative  maintenance" 
of  electronic  systems  is  to  ascertain  that  they  operate  in  as 
benign  an  environment  as  possible.  To  achieve  this,  adequate 
cooling  through  the  use  of  air  conditioning,  fans,  and  heat 
sinks  is  mandatory.  In  shock  and  vibration  environments,  re¬ 
silient  equipment  mounts  can  be  provided  for  damping.  In  ma¬ 
rine  applications,  humidity  control  can  sometimes  be  used  to 
decrease  the  severity  of  the  environment. 

In  non-electronic  equipment,  lifetimes  can  be  predicted 
with  a  reasonable  degree  of  certainty.  This  allows  the  equip¬ 
ment  to  be  retired  or  overhauled  before  wear-out.  Electronic 
parts,  on  the  other  hand,  exhibit  such  long  lifetimes  that  it  is 


difficult  to  determine  when  they  are  approaching  wear-out.  The 
communication  system  on  one  U.S.  spacecraft,  for  instance,  is 
still  performing  properly  15  years  after  launch. 

Electrolytic  capacitors  are  probably  an  exception  to  this 
long  lifetime  trend.  A  firm  specializing  in  the  repair  of  ma¬ 
rine  automation  systems  reports  that  it  frequently  encounters 
"worn-out'*  electrolytic  capacitors.  To  avoid  in-service  prob¬ 
lems,  this  firm  replaces  all  control  system  electrolytic  ca¬ 
pacitors  while  the  ship  is  in  lay-up. 

The  one  other  exception  known  to  DOVAP  is  connectors. 

These  are  prone  to  such  damage  as  bent  contacts  from 
mafcing-de-mating ,  or  to  increased  contact  resistance  due  to  dirt 
or  corrosion.  These  items,  too,  should  be  inspected  during 
lay-up  and  cleaned  or  replaced  as  necessary. 

In  the  electro-mechanical  technological  category,  preven¬ 
tative  maintenance  is  possible  but  is  all  too  often  neglected. 
Items  in  this  category  include  relays,  contactors,  console 
switches,  limit  switches,  many  types  of  actuators  and  sensors, 
solenoid-actuated  valves,  etc..  In  many  cases,  manufacturers  of 
such  devices  recommend  specific  maintenance  actions. 

Devices  in  this  category  share  2  major  characteristics: 
they  usually  utilize  contacts,  and  most  handle  currents  in  the 
ampere  (as  opposed  to  milli-amp)  range.  This  implies  that  the 
contacts  and  the  wiring,  wiring  terminals,  and  junction  points 
should  be  kept  in  good  working  order. 

Except  for  devices  in  sealed  containers,  contacts  should  be 
inspected  on  the  order  of  every  2  months.  More  frequent  in¬ 
spection  is  warranted  if  the  devices  are  in  an  oily  or  dirty 
environment.  Contacts  should  be  cleaned,  and  checked  to  deter¬ 
mine  that  they  open/close  properly.  Contacts  switching  large 
loads  or  any  inductive  load  can  be  subjected  to  arcing  and  sub¬ 
sequent  pitting  and  welding,  and  the  entire  device  should  be 
replaced  if  this  is  noted.  If  the  contact  device  is  in  a  sealed 
container  that  is  difficult  to  open,  and  if  the  seal  is  intact, 
it  is  probably  better  left  alone. 

Wiring  and  wiring  points  should  be  inspected  for  signs  of 
wear,  accumulations  of  dirt,  oil,  or  corrosion,  and  indications 
of  potential  opens/shorts.  Insulation  should  also  be  checked 
for  signs  of  deterioration.  Such  inspections  should  be  con¬ 
ducted  annually  for  devices  in  benign  environments,  inspection 
frequencies  should  be  on  the  order  of  every  2  months  if  the 
device  is  subject  to  heat,  vibration,  or  contamination. 

Other  candidate  electro-mechanical  areas  for  routine  in- 
spections  are  actuating  mechanisms,  which  often  involve  some 
form  of  spring  tension.  Actuating  mechanisms  should  be  checked 
for  signs  of  over- travel,  under-travel ,  and  general  "looseness". 
All  electromechanical  devices  should  be  checked  to  determine 


XI-8 


that  they  are  securely  >iounted. 

Finally,  since  electro-mechanical  devices  are  subject  to 
wear-out,  they  should  be  replaced  before  they  reach  end-of-life. 
The  replacement  interval  can  be  determined  from  manufacturer's 
information,  if  available,  or  from  experience. 

The  pneumatic  technological  category  is  another  area  where 
preventative  maintenance  is  possible.  The  foremost  requirement 
in  this  area  is  maintaining  a  clean,  dry  air  supply.  This,  in 
turn,  requires  regular  attention  to  filters  and  dryers. 

Many  pneumatic  devices  will  have  some  type  of  gasket, 

O-ring  or  seal  that  requires  periodic  replacement.  Manufactur¬ 
ers  usually  provide  replacement  recommendations  for  such  items. 

Many  pneumatic  devices  will  also  have  some  type  of  bellows 
or  diaphragm  that  can  be  subject  to  degradation.  By  observing 
operation  for  signs  of  "sicppiness"  or  "sluggishness",  this  can 
sometimes  be  detected  without  tearing  the  device  down. 

Visual  inspections  of  pneumatic  devices  can  sometimes  re¬ 
veal  potential  failures.  For  instance,  if  the  body  of  the  de¬ 
vice  shows  signs  of  corrosion,  there  may  also  be  internal  cor¬ 
rosion  that  could  cause  problems.  Impending  defects  in  pneu¬ 
matic  tubing  are  sometimes  indicated  by  stress  cracks,  and  can 
be  detected  visually. 

All  pneumatic  connections  should  be  checked  for  tightness 
at  least  twice  a  year.  If  the  device  is  in  a  high  vibration 
area,  checks  should  be  made  more  frequently. 

Many  pneumatic  devices,  especially  if  they  are  at  all  com¬ 
plicated,  will  have  a  set  of  very  specific  manufacturer's  main¬ 
tenance  recommendations.  These  should,  of  course,  be  followed. 

Pneumatic  devices  are  also  subject  to  wear-out,  and  should 
be  replaced  at  the  proper  time. 

Maintenance  requirements  and  practices  in  the  hydraulic 
technological  category  are  generally  similar  to  those  for  pneu¬ 
matics. 

The  oil  should  be  kept  clean,  which  implies  attention  to 
filters.  Gaskets,  O-rings,  seals,  etc.,  should  be  periodically 
replaced.  Devices  should  be  visually  inspected,  and  hydraulic 
lines  should  be  kept  tight.  Manufacturer's  recommendations 
should  be  followed,  and  devices  should  be  replaced  before  they 
approach  wear-out.  The  hydraulic  oil  supply  should  obviously  be 
kept  at  the  proper  level. 

An  area  unique  to  hydraulics  concerns  its  power  capability. 
That  is,  it  is  usually  used  for  manipulating  large  mechanisms  or 
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large  loads.  In  addition,  in  applications  such  as  turbine  steam 
valve  control  and  CPP  control,  the  "manipulations "  must  be 
within  tolerances.  During  layup,  all  hydraulic  element*!  subject 
to  wear  should  be  inspected,  and  replaced  or  repaired  if  they 
are  out-of-tolerance. 


D. (2)  Steam  Control  System  Preventative  Maintenance 

To  identify  control  system  preventative  maintenance  re¬ 
quirements,  DOVAP  evaluated  part  classes  and  part  types  as  sep¬ 
arate  entities  to  define  the  best  maintenance  approach  for  the 
individual  part  classes  and  types.  Recommendations  were  devel¬ 
oped  with  respect  to  maintenance  that  should  be  performed  on 
propulsion  system  controls,  parts,  and  assemblies.  However, 
these  recommendations  should  be  modified  and/or  adjusted  from 
the  standpoint  of  integrating  the  piece  parts  recommendations 
into  the  total  ship  machinery  maintenance  plan. 

The  maintenance  of  individual  parts  is  broken  down  into 
inspection,  test,  and  preventative  maintenance.  These  are  de¬ 
fined  as  follows: 


(a)  Inspection:  This  involves  scheduled  visual 

inspection  of  the  hardware  and  includes  inspection 
for  leaks,  cracks,  corrosion,  etc.  Many  failure  mode;; 
are  visually  detectable  long  before  the  part  de¬ 
grades  to  the  point  of  functional  failure. 


<b)  Test:  This  could  be  the  test  of  an  entire  subsystem 
or  of  individual  components.  Where  possible,  alarms 
and  safety  systems  should  be  checked  by  creating  a 
true  abnormal  situation.  For  example,  boiler  level 
alarms  should  be  checked  by  a  real  increase  or 
decrease  of  the  drum  level  until  the  boiler  shuts 
down.  This  demonstrates  that  the  complete  chain 
of  the  safety  circuit  is  operable.  When  testing  the 
alarms,  all  of  the  components  in  some  alarm  circuits 
cannot  be  tested  (for  example,  the  main  turbine 
overspeed  trip  or  actual  rutor  displacement). 


(c)  Preventative  Maintenance:  This  could  be  the 

scheduled  replacement  of  seals,  filters,  etc.,  the 
cleaning  of  pneumatic  parts,  or  the  removal  of  corro¬ 
sion  from  contacts. 

The  preventative  maintenance  functions  listed  below  arc  the 
general  actions  which  should  be  taken  for  each  class  of  parts 
used  in  automated  propulsion  control  systems.  Specific  recom- 
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mendations  provided  by  the  suppliers  or  the  system  manufacturer 
should  be  followed. 

D.  (2  )  (a )  Actuators,  Pneumatics 

a)  Drain  traps,  every  watch. 

b)  Inspect  every  2  months. 

Inspect  air  supply,  clean,  dry,  no  contamination. 
Inspect  filters  for  dirt,  contamination. 

c)  Test  yearly. 

Stroke  actuator  with  test  input. 


D. (2 ) ( b}  Alarms: 

a)  Periodic  testing  every  2  to  6  months  depending 
upon  criticality. 

b)  When  feasible  the  entire  alarm  circuit  should 
be  tested  including  the  sensor.  This  should  be 
done  either  by  clearing  the  system  through  the 
alarm  trip  points  or  by  isolating  the  sensors  and 
simulating  the  sensor  stimulus. 

c)  When  only  testing  alarm  circuits,  input  signals 
should  be  simulated  or  tested  for  opens  from  the 
field. 


D. (2 ) (c)  Connectors: 

a)  Inspect  every  6  months. 

Inspect  for  corrosion,  contamination,  bent  pins, 
moisture,  loose  connections,  frayed  cable. 

b)  Preventative  maintenance  as  required.  Remove 
corrosion,  contamination,  etc. 


D. (2 ) (d )  Horns; 

a)  Test  daily. 

Test  operation  by  simulating  alarm  condition. 


0. (2 ) (e)  Ignitor: 


a)  Inspect  weekly. 

Check  carbon  rod  and  pad  for  contamination 
and  corrosion. 


m 

D. (2) (f > 
a) 

Pneumatic  Control 

Devices: 

**• 

1) 

Low  Select 

2)  High  select 

K-'\- 

3  ) 

I/P  Convertor 

4)  Controller 

§>:■ 

5) 

Square  Root  Extractor 

b)  Test  yearly. 

Check  operation  with  test  signals  and  gauges, 


c)  Maintenance; 

Replace  diaphrams  as  required,  maximum  time 
between  replacement,  5  years. 

d)  Overhaul  as  required. 

Shipyard  overhaul  items. 


D.  { 2 ) <  g  )  Pneumatic  Differential  Pressure  Transmitter: 

a)  Test  yearly. 

Check  calibration  with  test  pressure 
and  guage.  Monitor  remote  indicator 
to  ensure  same  indication  as  local  gauge. 

b)  Maintenance  monthly. 

Flush  sensing  lines  to  remove  contamination. 

c)  Overhaul  as  required. 

A  shipyard  overhaul  item. 


D.(2)(h)  Pneumatic  Filters: 
a)  Inspect  monthly. 

Check  for  contamination,  moisture,  replace 
as  needed. 


D.(2)(i)  Pneumatic  Pressure  Regulator: 

a)  Inspect  water  trap  for  dry  air  daily. 

b )  Test  every  six  months. 

Output  pressure  for  proper  setting. 
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c)  Preventative  Maintenance. 

Replace  diaphram  as  needed  or  maximum  of  5  years, 


D. ( 2  )  ( j  )  Printed  Circuit  Board  Assemblies: 

a)  Inspect  every  six  months; 

Connectors  for  corrosion,  contamination,  or  wear. 

b)  Test  yearly. 

Test  spares  using  card  tester. 


D.(2)(3c)  Power  Supplies: 

a)  Inspect  every  3  months. 

Inspect  for  signs  of  over  temperature. 
Inspect  for  moisture. 

Inspect  for  contamination. 

b)  Test  and  tune  yearly. 


y 

Test  voltages 

c ) 

Tune  system  . 

N 

I 

D.  (2) (1) 

Pumps: 

a) 

Inspect  every 

Inspect  for  corrosion,  leaks,  signs  of  heat 
damage,  switches  for  contamination  and  wear. 

b)  Test  monthly 

Test  automatic  back  up  switching. 

Switch  to  back  up  in  order  to  have  equal 
operating  time  on  each  pump. 

c)  Test  every  six  months. 

Pressure  switches. 

d)  Overhaul  as  required 

D.(2){m)  Switch,  Level: 

a)  Inspect  every  6  months. 

Loose  connections,  frayed  wiring. 

b)  Test  yearly. 

System  check  for  proper  level  activation. 

c>  Preventative  Maintenance,  every  6  months. 
Clean/replace  electrodes  if  needed. 
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D. (2 ) (n)  Relay: 


a)  Inspect  6  months  to  a  year  {critical  re) ays 
every  6  months). 

Contacts  Cor  arcing,  contamination. 

b)  Preventative  Maintenance. 

Clean  contacts  or  replace  relays  as  required. 


D.(2Ho)  Switches,  Limit: 

a)  Inspect  monthly. 

Check  connections,  check  actuating  device 
for  wear,  corrosion,  and  contamination. 

b)  Test  every  6  months. 


D.(2)(p)  Switch,  Pressure: 

a)  Inspect  every  6  months. 

Open  cover,  check  diaphrara  for  leaks,  moisture. 

b)  Test  yearly. 

Test  with  system  pressure  or  test  pressure  kit. 


D. ( 2 ) (q )  Tranducers,  Resistance 
Temperature  Device: 

a)  Inspect  every  6  months. 

Open  connection  box,  check  for  contamination, 
corrosion,  heat  deterioration  of  cable,  loose 
connections,  frayed  wires. 

b)  Test  yearly. 

Disconnect  wire  at  console.  Measure 
resistance  against  specification.  Check  for 
grounds.  Check  for  high  resistance  junction. 
Zero  and  span  signal  condition  circuit. 


D.C2)'r)  Transmitters: 

1 )  Flow 

2 )  Level 

3 )  Pressure 


a)  Inspect  every  6  months. 

Open  cover  and  inspect  for  signs  of  damage,  water, 
corrosion,  connections  loose,  wiring  frayed. 

b)  Test  yearly. 
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Zero  and  span  with  pressure  kit  and  guages. 
(Pressure  transmitter). 


D.  (2  Ms)  Valves,  Hydraulic 
Throttle  Control: 

a)  Inspect  every  2  months. 

b)  Test  monthly. 

Check  during  throttle  tests  for  leakage  or  sticking. 

c)  Overhaul. 

Pressure  test  for  leaks  during  shipyard  overhaul. 


D.  (2Ht)  Valves,  Pneumatic  Control: 

a)  Inspect  every  2  months. 

Inspect  shaft  for  binding. 

Inspect  body  for  cracks,  leaks,  corrosion,  fete. 

b)  Test  yearly. 

System  test.  Observe  for  flow  when  valve  closed 
or  break  up  stream  and  introduce  pressure. 

Check  for  leaks  downstream. 

c)  Preventative  maintenance. 

Disassemble  and  inspect;  replace  worn  parts. 
Adjust  packing  nut. 

Lubricate  per  manufacturer's  recommendations. 
Corrosion  -  prevention  as  required. 

d)  Overhaul. 

Stroke  valve  during  shipyard  overhaul. 

Rework  or  replace  seat  if  required. 

Replace  packing  if  required. 

Replace  other  worn  parts. 


D.£3)  Diesel  Control  System  Preventative  Maintenance 

On  the  diesel  vessel  evaluated  during  this  study,  the  fol¬ 
lowing  items  were  identified  as  candidates  for  preventative 
maintenance: 

a)  throttle  levers 


’o)  solenoid  valves 

c)  pneumatic  air  supply 

d)  relays 
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e)  switches 


f )  tachometer  generator 

g)  sensors 

Most  of  the  control  system  is  electronic,  and  therefore  not 
amenable  to  preventative  maintenance.  The  above  items  form  a 
very  small  portion  of  the  system  in  terms  of  numbers  of  parts, 
but  they  have  potentially  critical  failure  modes. 

The  rationale  for  the  preventative  mainenance  actions 
identified  for  the  above  items  is  discussed  in  general  terms  in 
section  OCX)  above  (£or  instance  the  need  for  inspecting  con¬ 
tacts).  Other  specific  information  not  discussed  above  is  pro¬ 
vided  below  for  each  of  the  items. 


D(3)(a)  Throttle  Levers: 

These  are  actually  large  potentiometers  with  limit  switches 
at  their  extreme  positions.  There  are  throttle  levers  or  po¬ 
tentiometers  for  bridge  control,  engine  room  control,  cruise 
mode  trim,  and  split  mode  operation.  One  of  these  will  be 
continuously  energized  for  operation  when  the  vessel  is  under¬ 
way. 


Maintenance  Items: 

a)  Inspect  limit  switches  to  the  extent  possible. 

b)  Inspect  wiring. 

c)  Inspect  potentiometers  for  xgns  of  wear  to  the 
extent  possible. 


0.(3  Mb)  Solenoid  Valves: 

a)  Inspect  wiring. 

b)  Inspect  pneumatic  connections. 

c)  Visually  inspect  valves  for  signs  of  degradation. 

d)  Perform  periodic  functional  check  to  determine  that 
valve  operates  properly  (Some  of  these  valves,  such 
as  the  engine  start  or  stop  solenoid  valves,  will 
go  for  periods  of  days  or  weeks  without  being 
activated  during  normal  operation) 


D.(3)Cc)  Pneumatic  Air  Supply: 
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a)  Maintain  clean,  dry  air  supply. 

D. (3 } (d)  Relays: 

a)  Inspect  contacts  where  possible. 

b)  Inspect  wiring. 

c)  Perform  periodic  functional  checks  of  relay  boards 
to  determine  that  all  relays  energize/ de-energize 
properly  {many  of  the  relays  on  the  relay  boards 
will  go  for  long  periods  without  being  used  during 
normal  operation}. 

D.(3)<e)  Switches: 

a)  Inspect  contacts  where  possible 

b)  Inspect  wiring. 

c)  Perform  periodic  functional  checks  of  seldom  used 
switches . 

D.(3)(f)  Tachometer  Generator: 
a>  Inspect  wiring. 

b)  Inspect  for  signs  of  wear  to  the  extent  possible. 

c)  Inspect  contacts  to  the  extent  possible. 

d)  Lubricate  per  manufacturer's  recommendations. 

e)  Periodically  verify  correct  calibration. 

D. (3 ) (g)  Sensors: 

a)  Inspect  contacts  to  the  extent  possible. 

b)  Inspect  wiring. 

c)  Periodically  verify  correct  calibration. 

d)  Check  mounting. 

e>  Inspect  for  signs  of  wear. 

£)  Perform  periodic  functional  checks  of  seldom 
activated  sensors. 
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XII.  MISCELLANEOUS  STUDY  OBSERVATIONS 


During  the  course  of  the  study,  several  observations  were 
made  that  were  either  of  a  general  nature  or  not  specifically 
applicable  to  any  single  study  task.  These  observations  concern 
the  following  topics: 

a)  Environmental  Consistency 

b)  Atomizing  Steam  Source 

c)  Technology  Approach 

d)  Operational  Aspects 

e)  Fault  Trees  vs.  FMEA ' s 

f)  Wiring 

Each  of  these  are  discussed  below. 


A.  ENVIRONMENTAL  CONSISTENCY 

In  discussions  throughout  this  report,  the  effect  of  the 
operating  environment  on  reliability  and  failure  rates  has  been 
indicated-  In  conducting  the  various  analyses  of  the  study, 
DOVAP  noted  however  that  environmental  requirements  were  often 
inconsistent.  For  instance,  the  vibration  limits  called  out  by 
ABS  for  automation  systems  differ  from  those  called  out  by  IEEE. 
Temperature  limits  were  also  noted  as  being  inconsistent.  For 
instance,  on  Ship  A,  the  documentation  for  the  various  printed 
circuit  cards  calls  out  different  temperature  extremes  for  dif¬ 
ferent  cards;  e.g.,  one  card  is  reported  to  be  rated  for  oper¬ 
ation  at  60°  C.,  another  at  30°  C.,  and  other  cards  at 
temperatures  somewhere  in  between. 

These  temperature  limits  should  certainly  be  consistent  but 
more  important  they  should  reflect  the  actual  temperature  con¬ 
ditions  the  equipment  will  be  operating  under.  Assuming  that 
the  engine  control  room  is  air  conditioned  (which  it  should  be), 
an  ambient  temperature  of  roughly  25°  C.  would  be  expected. 
Temperature  rises  of  10°  C.  are  common  within  equipment 
consoles.  Thus,  a  temperature  limit  of  at  least  35^  C.  would  be 
realistic,  and  another  5 0  to  10°  would  be  desirable  for  a  safety 
margin . 


B.  ATOMIZING  STEAM  SOURCE 

On  ships  A  and  B,  the  atomizing  steam  supply  is  taken  from 
the  de-superheated  steam  header.  This  is  apparently  the  case  on 
many  steam  vessels.  No  problems  were  reported  due  to  this  on 
the  vessels  evaluated,  but  problems  due  to  wet  atomizing  steam 
on  another  vessel  have  occurred.  Taking  the  atomizing  steam 
supply  off  the  superheated  steam  header  would  permit  better 
control  and  preclude  problems  with  wet  steam. 


C.  TECHNOLOGY  APPROACH 

It  seems  reasonably  certain  that  in  the  foreseeable  future, 
engine  room  automation  systems  will  never  consist  of  a  "pure" 
technological  approach  (for  instance,  "pure  digital,  “pure" 
pneumatic,  etc.).  Instead,  the  systems  are  more  likely  to  con¬ 
sist  of  hybrid  approaches  involving  some  combination  of 
digital/analog,  digital/pneumatic,  etc.  For  instance,  the  au¬ 
tomation  system  on  Ship  A  is  primarily  digital/pneumatic;  Ship  B 
is  digital/analog  with  some  pneumatics;  Ship  C  relies  heavily  on 
analog  control  loops  with  some  digital  circuitry.  Hydraulics 
will  also  continue  to  be  used  in  control  systems,  especially  in 
areas  requiring  large  mechanical  driving  forces,  such  as  control 
of  the  steam  valves  in  the  throttle  system.  In  the  paragraphs 
that  follow,  some  of  the  overall  reliability/failure  character¬ 
istics  of  these  possible  control  approaches  are  discussed. 

A  major,  overall  reliability  characteristic  of  any  hybrid 
system  involves  potential  problems  at  the  interfaces  between  the 
differing  technological  approaches.  For  instance,  it  is  well 
known  that  the  interface  between  electronic  control  circuitry 
and  either  pneumatic  or  hydraulic  actuators,  valves,  etc.,  can 
produce  many  problems.  This  was  borne  out  in  Task  I  in  that 
such  problems  were  often  recorded  in  the  literature.  Also,  it 
has  been  DOVAP's  experience  on  other  projects  that  interface 
compatibility  requirements  are  often  difficult  to  define  pre¬ 
cisely.  Oversights  are  common,  and  there  is  often  inadequate 
communications  between  the  various  disciplines  involved.  All  in 
all,  this  is  a  major  area  that  should  be  stressed  during  design 
review  activities. 

Since  digital  integrated  circuits  are  readily  available  and 
relatively  inexpensive,  it  seems  likely  that  most  control  sys¬ 
tems  will  utilize  them  to  the  extent  possible.  The  major  char¬ 
acteristics  that  impact  the  reliability  of  digital  controls  can 
be  summarized  as  follows: 

a)  Since  digital  devices  are  binary,  i.e.,  off/on, 
failures  cend  to  cause  them  to  "crash,"  so  that 
there  is  little  margin  for  graceful  degradation. 

That  is,  failures  tend  to  cause  the  signal  to  go 
to  a  "true"  or  "false"  logic  level  which,  in  turn, 
causes  the  remainder  of  the  processing  to  either 
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stop  or  go  into  some  abnormal  state.  If  the 
failed  signal  is  infrequently  used  in  the  control 
process,  it  may  not  immediately  cause  this  type 
of  effect.  Sooner  or  later,  however,  when  the 
signal  is  needed  in  the  process,  such  effects  can 
be  expected. 

b)  Digital  integrated  circuits  involve  almost  exclu¬ 
sively  NAND/NOR  logic.  Instead  of  AND/OR  logic 
where  the  inputs  .are  combined  directly  to  obtain 
the  desired  signals,  NAND/NOR  logic  inverts  to  pro¬ 
duce  a  "not  AND”  or  "not  OR”  signal.  This  means 
that  either  NAND  or  NOR  gates  can  be  used  to  obtain 
either  AND  or  OR  functions,  depending  on  the  logic 
levels  of  the  input  signals.  (See  Figure  X-5 

in  the  documentation  discussion.)  This  can  com¬ 
plicate  the  understanding  of  digital  control  sys¬ 
tems  because  it  can  be  difficult  to  see  the 
exact  relation  that  the  designer  has  implemented. 

To  determine  the  exact  function  that  is  being 
implemented,  the  logic  levels  of  the  signals  at 
the  input  must  be  examined,  then  the  subsequent 
cascaded  gates  considered  (for  instance,  whether 
a  NAND  is  feeding  a  NOR  or  whatever).  The  impact 
of  this  on  troubleshooting  is  discussed  in  Section  X. 

Lack  of  understanding  of  the  system  can  also  hin¬ 
der  design  review  activities. 

c)  There  is  little  room  for  human  error  in  a  digital 
control  system.  Since  it  is  analogous  to  a  compu¬ 
ter  that  has  been  programmed,  if  any  human  error  or 
abnormal  condition  causes  a  signal  to  erroneously 
go  to  some  particular  state,  the  control  system 
will  do  what  it  is  "programmed"  to  do  when  this 
signal  state  occurs. 

Despite  these  potentially  serious  failure  effect  charac¬ 
teristics  in  digital  circuitry,  digital  integrated  circuits  have 
among  the  lowest  failure  rates  of  any  type  of  hardware.  One 
integrated  circuit  chip,  for  instance,  typically  has  a  failure 
rate  roughly  equivalent  to  one  transistor,  but  recall  that  the 
integrated  circuit  replaces  several  transistors  in  the  circuit 
design. 

Analog  circuitry  has  somewhat  higher  failure  rates  than 
digital  circuitry.  Mechanical-type  hardware,  on  the  other  hand, 
has  significantly  higher  failure  rates  than  either  type  of 
electronic  approach,  pneumatic  devices,  for  instance,  have 
failure  rates  an  order  of  magnitude  or  more  higher  than  elec¬ 
tronic  parts. 
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D.  OPERATIONAL  ASPECTS 


a}  On  Ship  A,  it  was  noted  that  purge  is  not  possi¬ 
ble  from  the  boiler  local  panel.  When  the  boiler  , 
is  being  lit  from  the  local  panel,  an  additional 
engineer  is  required  at  the  engine  room  console 
to  initiate  the  purge,  and  communciations  as  to 
the  status  of  the  purge  are  required  between—the 
engineers.  This  seems  an  unsafe  approach.  'It 
should  be  possible  tc  purge  from  the  local  panel 
if  the  boiler  is  being  lit  from  the  local  panel. 
DOVAP  realizes  that  this  could  be  difficult  to 
implement  but  the  safety  trade-offs  would  indi¬ 
cate  that  it  is  warranted. 

b)  On  all  the  systems  evaluated,  some  indications  are 
provided  on  the  bridge  in  the  form  of  visual  or 
audible  alarms  to  indicate  that  certain  critical 
failures  have  occurred.  While  these  indications 
do  alert  the  bridge  to  such  critical  failures  as 
turbine  trip,  there  are  no  provisions  to  alert  the 
bridge  to  near  or  potentially  critical  conditions,  ' 
(such  as  the  loss  of  one  boiler).  It  seems  that 
the  bridge  should  be  informed  that  the  engine  room 
is  not  capable  of  operating  at  full  capacity.  Or, 
in  other  words,  the  bridge  should  automatically  be 
alerted  that  it  could  not  call  on  the  engine  room 
for  the  full  range  of  non-failed  system  capabili¬ 
ties. 

c)  The  systems  evaluated  during  this  study  had 
adequate  boiler  front  indicators  for  visually 
monitoring  air,  fuel,  and  water.  This  is  apparently 
not  always  the  case.  A  firm  specializing  in  marine 
automation  system  repair  recommends  that  the 
necessary  gages,  sight  glasses  and  periscopes  always 
be  provided  at  a  location  where  they  can  be  observed 
directly. 


E.  FAULT  TREES  vs.  FMEA'S 

Based  on  DOVAP ’s  conduct  of  both  FMEA’s  and  fault  trees  for 
the  engine  room  automation  systems,  several  advantages  and  dis¬ 
advantages  of  both  were  noted.  These  are  discussed  below  and 
DOVAP  feels  they  should  be  considered  if  the  Coast  Guard  antic¬ 
ipates  requiring  one  but  not  both  of  these  types  of  analyses. 


A  major  disadvantage  of  fault  trees  is  that  they  are  not 
accurate  without  an  FMEA  to  serve  as  input  data.  For  instance, 
DOVAP  initially  prepared  the  first-cut  fault  trees  before  the 
FMEA's  were  performed.  These  fault  trees,  in  general  were  found 
unrealistic  or  incorrect  in  varying  degrees  when  FMEA  results 
could  be  considered.  Certainly,  the  top  level  fault  tree  events 
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can  be  specified  without  an  FMEA,  and  the  second  and,  perhaps, 
even  the  third  levels  can  be  identified.  However,  getting  the 
hardware  "plugged  into"  the  fault  tree  requires  data  from  the 
FMEA's  on  the  system  under  consideration. 

A  potential  disadvantage  of  a  fault  tree  is  that  it  may  not 
cover  all  the  probability.  A  thorough  fault  tree  will,  of 
course,  cover  all  the  probability.  It  is  very  easy,  however,  to 
overlook  certain  situations  such  that  certain  failures  with  a 
distinct  probability  of  occurrence  are  not  included  in  the  fault 
tree.  Also,  fault  trees  may  not  include  the  probability  of 
"peripheral  failures.”  For  instance,  it  is  seldom  possible  in  a 
fault  tree  to  list  all  the  items  that  must  be  non-failed  (power 
supply,  certain  supporting  functions,  etc.).  Yet  such  items 
have  a  probability  of  failure,  and  contribute  to  the  overall 
probability  of  the  top  level  events  in  the  fault  tree.  It 
should  be  noted,  however,  that  including  all  such  items  would 
result  in  fault  trees  that  were  tediously  overcomplicated  and 
difficult  to  follow. 

Another  disadvantage  of  fault  trees  is  that  for  control 
systems,  they  can  quickly  become  complicated.  Fault  trees  can 
model  a  system  in  a  fairly  straighforward  manner  and  without 
getting  overcomplicated.  However,  when  they  attempt  to  model 
the  controls  for  that  system,  a  second  level  of  detail  and  ab¬ 
straction  is  involved.  This  quickly  introduces  additional  lev¬ 
els  to  the  fault  tree  and  additional  relationships  within  each 
level. 

The  advantage  of  fault  trees  lies  in  their  potential  for 
hazard  identification.  In  fact,  one  of  the  major  advantages  of 
a  fault  tree  is  that  it  is  quite  good  for  initial  hazard  ident¬ 
ification.  This  can  be  done  without  going  into  detailed  hard¬ 
ware  considerations. 

Also,  an  advantage  of  a  fault  tree  is  that  it  enables  the 
analyst  to  find  the  cut  sets  and  to  identify  common  hardware  in 
different  paths.  By  finding  the  cut  sets,  the  analyst  can  de¬ 
termine  what  type  of  path  exists  between  hardware  failure  and 
critical  event.  In  identifying  the  common  hardware,  the  analyst 
can  determine  where  a  single  hardware  item  plays  a  role  in  more 
than  one  critical  event. 

Another  major  advantage  of  fault  trees  is  that  they  enable 
the  consideration  of  multiple  failures  or  events.  FMEA's,  per 
se,  only  address  single  failures  or  events.  Fault  trees,  on  the 
other  hand,  through  considering  possible  AND  arrangements,  can 
evaluate  the  potential  for  a  critical  event  due  to  two  or  more 
failures.  In  large  systems  with  high  failure  rates,  over  a  long 
period  of  time  multiple  failures  are  likely.  Therefore,  fault 
trees  can  serve  an  important  function  in  analyzing  this  poten¬ 
tial. 
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Turning  to  FMEA's,  a  major  disadvantage  is  if  they  are  done 
thoroughly,  they  can  be  quite  costly.  Any  analytical  approach 
can  be  costly  but  the  level  of  detail  required  to  do  a  thorough 
FMEA  quickly  leads  to  time-consuming  expensive  analysis. 

Another  disadvantage  is  that  there  is  great  reluctance  to 
do  a  thorough  job.  For  reasons  that  are  perhaps  understandable, 
engineers  simply  do  not  like  to  repeatedly  consider  the  effects 
of  part  or  component  failures,  and  they  tend  to  take  short-cuts 
or  simply  not  consider  potential  failures. 

Another  disadvantage  of  FMEA's,  as  pointed  out  in  the  dis¬ 
cussion  on  fault  trees  above,  is  that  they  can  only  consider 
single  failures.  There  is  no  realistic  way  that  an  FMEA  can 
consider  multiple  failures.  For  instance,  if  a  system  consisted 
of  only  two  parts,  and  each  of  those  two  parts  could  either  fail 
open  or  short,  there  would  be  four  failure  states.  As  the  num¬ 
ber  of  parts  increases  so  does  the  number  of  potential  failure 
states.  If  multiple  failures  were  considered,  the  number  of 
potential  failure  states  would  increase  exponentially. 

A  major  advantage  of  an  FMEA  is  that  it  forces  the  engineer 
to  think  about  failures.  This  is  especially  true  if  the  de¬ 
signer  performs  his  own  FMEA  since  then  he  will  become  more 
conscious  of  the  ways  his  equipment  can  fail.  A  related  FMEA 
advantage  is  that  it  is  the  most  straightforward  technique  for 
involving  the  designer  in  reliability  considerations. 

Other  FMEA  advantages  are  generally  well  known,  and  in  fact 
involve  the  reasons  for  the  development  and  application  of  the 
FMEA  techniques.  These  advantages  include:  (1)  FMEA's  can 
provide  the  most  realistic  information  usually  available  for 
reliability  modelling  and  predictions,  (2)  FMEA ' s  provide  a 
systematic  means  of  evaluating  the  failure  behavior  of  all 
hardware  within  a  system,  and  (3)  from  the  information  generated 
in  FMEA's,  critical  failure  modes  can  be  identified  and  elimi¬ 
nated. 


F.  WIRING 

During  the  Task  II  evaluation,  DGVAP  found  that  wiring  for 
the  systems  was  adequate.  However,  on  a  shipboard  automation 
system  evaluated  by  DOVAP  on  a  previous  project,  back  panel 
wiring  as  small  as  26  gauge  and  smaller  was  utilized.  In  the 
potential  vibration  environment  on  shipboard,  it  seems  that  the 
wire  sizes  should  be  a  minimum  of  24  gauge.  Also,  in  this  po¬ 
tential  vibration  environment,  stranded  wire  only  should  be 
used.  ABS  automation  requirements  state  that  single  conductor 
wire  can  be  used  where  there  is  no  vibration;  however,  DOVAP 
does  not  feel  that  vibration  can  be  ruled  out  for  any  part  of  a 
shipboard  automation  system. 
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XIII.  GUIDELINES  FOR  COAST  GUARD  USE 


As  part  of  Task  III,  the  Statement  of  Work  required  that 
DOVAP  develop  guidelines  for  use  by  the  Coast  Guard  in  the  fol¬ 
lowing  areas  of  its  activities: 

Propulsion  automation  system  design 
approval . 

Accident  investigations  related 
to  propulsion  automation  systems. 

-  Inspections  and  test  of  propulsion 
automation  systems. 

Crew  training  and  experience 
considerations . 

The  guidelines  for  each  of  these  areas  are  provided  below. 

A.  DESIGN  APPROVAL  GUIDELINES: 

The  purpose  of  these  recommended  guidelines  is  to  provide  a 
workable  approach  for  the  design  approval  of  commercial  vessel 
control  systems.  Due  to  the  limited  quantities  of  systems  and 
components  used  by  commercial  vessels,  and  because  cost  limita¬ 
tions  rule  out  detailed  component  qualification  and  reliability 
tests,  the  approach  is  based  on  practical  considerations  neces¬ 
sary  for  non-milrtary  procurements.  These  recommended  guide¬ 
lines  should  provide  a  means  for  substantially  improving  life 
cycle  costs  and  reliability  related  to  automated  controls  on  new 
vessels . 

The  basic  recommended  approach  is  for  the  manufacturer, 
owner/operatcr ,  and  the  shipyard  to  develop  a  systems  specifi¬ 
cation  which  is  mutually  agreed  upon  among  themselves.  The 
contents  of  the  systems  specifications  would  be  provided  for  by 
the  Coast  Guard  and  would  incorporate  all  aspects  of  NVIC  1-69* 
and  the  following  recommended  additions  and/or  modifications. 

All  of  NVIC  1-69  will  not  be  repeated  in  the  following  recommen¬ 
dations  but  only  those  aspects  that  DOVAP  feels  should  be  added 
or  modified.  A  mojor  source  of  problems  with  commercial  vessel 
procurements  in  the  past  stems  from  disagreement  between  the 
manufacturers,  owners/operators,  and  shipyards  concerning  the 
best  approaches  for  specifying  and  acquiring  automated  control 
systems,  and  for  establishing  how  to  maintain  and  support  the 
systems  once  they  become  operational.  By  jointly  developing  a 
systems  specification,  these  past  disagreements  should  be 
resolved.  Also,  the  submittal  of  this  systems  specification, 
along  with  the  other  data  required  by  NVIC  1-69,  will  provide 
the  Coast  Guard  with  insights  into  the  configuration  of  the 
system 

*USCG  "Navigation  and  Vessel  Inspection  Circular  No.  1-69, 
Subject:  Automated  Main  and  Auxiliary  Machinery." 


and  into  how  the  system  is  to  be  supported  once  it  is 
operational . 


In  order  to  make  valid  decisions,  with  respect  to  the 
optimum  system  design,  a  historical  base  is  needed.  The  owner- 
operator  should  be  concerned  with  the  life-cycle  costs  of  any 
proposed  system.  Ths  basis  for  these  costs  are  historical 
failure  rates,  maintenance  costs-,  support  equipment  costs,  and 
other  related  logistic  aspects.  DOVAP  has  found  that  such  his¬ 
torical  data  is  seldom  available.  In  addition  to  failure  rates, 
the  owner/operator  needs  to  know  wear-out  rates  and  when  equip¬ 
ments  should  be  replaced  and/or  overhauled. 

Many  current  systems  are  selected  on  the  basis  of  the  ini¬ 
tial  cost  of  the  system  and  on  what  has  been  used  in  the  past. 
Many  relatively  new  systems  have  not  taken  advantage  of  the 
current  state-of-the-art  in  the  electronics  field.  Again,  some 
of  this  is  due  to  the  lack  of  historical  information  which  would 
allow  the  owners/operators  to  base  decisions  on  valid  trade-off 
information.  In  addition  to  the  owners/operators  needing  data 
for  making  logical  decisions,  the  manufacturers  and  shipyards 
need  data  so  that  unreliable  components  can  be  identified  and 
the  basic  causes  of  unreliability  eliminated.  If  100  percent 
reporting  cannot  be  instituted  on  all  commercial  vessels,  an 
alternative  plan  would  be  to  institute  100  percent  reporting  on 
a  selected  sample  of  ships.  However,  DOVAP  feels  that  all  ves¬ 
sels  with  new  automated  propulsion  systems  should  be  required  to 
participate  in  a  data  reporting  program.  If  the  data  system  is 
properly  designed,  the  reporting  effort  should  not  appreciably 
effect  the  crew's  work  load. 


A. (1)  Suggested  Systems  Specifications  Outline: 

A. ( 1 ) <  a )  System  Concept 

In  order  to  ensure  the  successful  application  of  automated 
propulsion  control  systems,  the  manufacturers,  owners/operators, 
and  shipyards  should  develop  a  system  concept  based  on  accept¬ 
able  reliability  levels  and  minimum  life-cycle  costs.  As  indi¬ 
cated  abdve,  many  owners/operators  base  their  ideas  on  equipment 
that  has  been  used  in  the  past,  and  do  not  have  historical  data 
for  alternative  choices.  It  is  suggested  that  the  systems 
specification  contain  the  results  of  a  preliminary  trade-off 
analysis  which  considers  various  system  concepts,  and  justifies 
the  selection  made  in  terms  of  reliability  and  life-cycle  costs. 

Also,  many  systems  are  degraded  after  various  operational 
periods  because  of  poor  maintenance  practices  and  wear-out  of 
the  equipment.  This  results  in  degradation  of  the  initial  level 
of  reliability  that  has  been  designed  into  the  system,  and  the 
system  becomes  a  potential  hazard.  Therefore,  the  Coast  Guard 
should  not  only  be  concerned  with  the  initial  design  of  the 
system,  but  also  with  how  the  system  is  to  be  maintained 
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throughout  its  useful  life. 

All  major  aspects  of  the  Logistics  and  support  environment 
should  be  investigated  and  form  the  basis  for  the  support  plan. 
As  an  alternative  to  highly  trained  on-board  crew  members,  the 
owner/operator  should  at  least  consider  the  possibility  of 
built-in  test  equipment  (BIT)  and  provide  the  basis  in  the  sys¬ 
tem  specifications  as  to  why  one  approach  is  chosen  over  the 
other.  In  addition,  the  systems  specification  should  specify 
other  types  of  support  equipment  which  will  be  provided  on 
board,  such  as  printed  circuit  card  testers. 

Training  considerations  should  cover  three  levels,  that  is, 
the  training  anticipated  of  the  licensed  personnel,  unlicensed 
personnel,  and  the  reliance  that  is  to  be  put  on  on-shore  per¬ 
sonnel.  The  systems  specification  should  also  provide  the 
philosophy  as  to  the  number  of  spares  and  how  spares  are  to  be 
handled  (e.g.,  storage  containers),  and  the  control  of  limited 
life  items. 

A  current  chronic  problem  is  the  lack  of  adequate  main¬ 
tenance  procedures  and  manuals.  The  specification  should 
detail  the  manuals  that  will  be  provided,  who  will  generate  the 
procedures  described  in  the  manuals,  and  how  they  will  be  main¬ 
tained  and  updated. 

A. (1 ) (b)  Reliability: 

In  addition  to  the  system  concept  discussed  above,  the 
systems  specification  should  include  anticipated  reliability 
levels  for  various  critical  functions.  An  overall  system  reli¬ 
ability  requirement  is  not  practical  because  of  the  many  inter¬ 
faces  with  manual  operations  and  system  overlaps.  Therefore,  it 
is  suggested  that  the  probability  of  certain  undesirable  events 
occuring  be  determined,  possibly  through  fault  tree  analysis. 

The  following  preliminary  list  suggests  undesirable  faults  for 
steam  systems: 

a)  Loss  of  Low  steam  pressure  alarm. 

b)  Loss  of  low  steam  pressure  MPC  action. 

c)  Loss  of  low  steam  pressure  turbine  trip. 

d)  Loss  of  boiler  level  low- low  trip. 

e)  Loss  of  boiler  flame-out  trip. 

f)  Loss  of  purge  fail  alarm. 

g!  Loss  of  fuel  oil  low  pressure  alarm. 

h)  Loss  of  feedwater  low  pressure  alarm. 

i )  Loss  of  low  combustion  air  alarm. 

j)  False  boiler  trip. 

k)  False  turbine  trip. 

l)  Loss  of  RPM  control. 

in)  Loss  of  directional  control. 

n)  Loss  of  turbine  control  power. 

o)  Loss  of  boiler  control  power. 
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For  Diesel  Systems: 


a)  Loss  of  abnormal  engine  shutdown  alarm. 

b)  Loss  of  abnormal  de-clutch  alarm. 

c)  Loss  of  speed  command  fail  alarm. 

d)  Loss  of  direction  command  fail  alarm. 

e)  Loss  of  engine  safety  shut  downs  (J.  W. 

Temperature  high,  L.O.,  Pressure  Low,  etc.) 

f)  Failure  of  station-in-control  transfer  function. 

g)  False  engine  shutdown. 

h>  False  engine  de-clutch. 

i)  Loss  of  speed  control. 

j)  Loss  of  direction  control. 

k )  Loss  of  control  system  power. 

In  addition  to  the  quantitative  reliability 
requirements,  DOVAP  recommends  that  qualitative  reliabiltiy 
requirements  be  added  to  NVIC  1-69,  as  follows: 

Single  Point  Failures:  There  should  be  no  single  point 
which  would  cause  the  following  conditions:  open  or  close  fuel 
oil  trip  valve;  open  or  close  burner  valve;  insert  ignitor;  open 
or  close  turbine  steam  valve. 

Opens  From  The  Field:  Wherever  possible,  opens  from  the 
field  should  drive  the  system  to  a  fail  safe  condition. 

Corrosion  Prevention:  Whenever  possible,  corrosion  resis¬ 
tant  parts  should  be  selected. 

Power  Supplies:  Redundant  power  supplies  for  boiler  con¬ 
trols  and  turbine  controls  should  be  provided,  and  the  supplies 
should  switch-over  automatically  in  case  of  failure. 

Transducers  and  Sensors:  For  unmanned  engine  rooms,  there 
should  be  redundant  sensors  for  all  critical  alarms.  It  is 
desirable  to  provide  logic  that  compares  the  two  signals  and 
determines  when  there  is  significant  difference  between  the 
signals  indicating  that  a  sensor  failure  possibility  exists.  If 
there  is  not  automatic  monitoring  of  the  sensors,  the  method  and 
frequency  for  periodically  checking  the  sensors  should  be 
stated.  Feedback  sensors  should  measure  actual  positions,  not 
position  commands,  relative  positions  of  linkages,  or  inter¬ 
mediate  control  hardware.  Transducers  and  sensors  should  be 
hermetically  sealed.  Since  transmitters  used  in  the  field  are 
very  susceptible  to  vibration  and  beat,  precautions  should  be 
taken  when  mounting  these  instruments.  System  design  should 
consider  sensor  accessibility  and  size. 

Switches:  No  reed  switches  should  be  used  in  field  appli¬ 

cations.  Switches  should  be  hermetically  sealed. 

Connections  and  Connectors:  There  should  be  sufficient 
space  to  make  adequate  connections.  Connectors  in  the  field 
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should  be  hermetically  sealed. 

Pneumatics:  Pneumatic  system  design  should  include  ade¬ 

quate  provisions  to  ensure  that  supply  air  is  clean.  There 
should  be  a  filter  at  the  final  control  element. 

Circuit  Logic:  There  should  be  a  limited  use  of  potentio¬ 
meters  on  printed  circuit  cards,  and  also  of  customizing 
jumpers.  All  printed  circuit  cards  should  be  conformal  coated. 
The  design  should  strive  to  minimize  the  number  of  parts. 
Series-redundant  power  input  filter  capacitors  should  be  pro¬ 
vided.  The  open/close  position  of  valves  and  actuators  should 
not  be  determined  from  timing  circuits.  Derating  policies 
should  be  established  and  stated  in  the  systems  specification. 
Circuit  analysis  should  be  performed  to  establish  that  the 
derating  criteria  has  been  met.  Electrostatic  discharge 
protection  should  be  included  in  critical  circuits.  MIL-grade 
parts  should  be  used  for  critical  circuits. 

Alarms r  The  alarms  for  critical  functions  should  be  ini¬ 
tiated  from  the  actual  opening  and  closing  of  the  valve  or 
actuator;  alarms  should  not  be  initiated  solely  by  circiut 
logic.  Alarms  should  include  all  circuit  logic  that  is  possi¬ 
ble.  Therefore,  most  alarms  snould  receive  the  initiating  sig¬ 
nal  from  just  prior  to  the  controller.  The  following  alarms 
should  be  added  to  the  list  already  provided  in  NVIC  1-69; 

Steam  Dump  Activated. 

Low  Steam  Temperature. 

Fuel  Oil  Pressure  High. 

Ignitor  Extended. 

Control  Rooms  and  Control  Cabinets:  The  control  room 
should  be  cooled  to  maintain  the  ambient  temperature  below  35° 
degrees  C.  The  control  room  should  be  sealed  to  the  extent 
possible  from  the  external  environment  to  preclude  the  possibil¬ 
ity  of  fluid  seepage  from  the  overhead  or  deck.  Control 
consoles  should  have  fans  for  cooling  and  filters.  Control 
consoles  should  be  mounted  on  resilient  shock  vibration  dampers. 

Wiring:  All  control  wiring  should  utilize  stranded  con¬ 

ductors.  No  wiring  should  be  smaller  than  24  gauge. 

Throttle  Control  Hydraulic  System:  It  should  be  possible 
to  take  control  within  five  seconds  with  the  manual  back-up  for 
the  hydraulic  system.  If  this  cannot  be  accomplished  by  a 
handpump,  an  air  pump  with  an  accumulator  should  be  considered. 

Boiler  Front:  High  temperature  O-rings  should  be  used  for 
all  applications.  Metal  to  metal  contact  with  a  potential  for 
corrosion  should  be  avoided.  There  should  be  direct  ventilation 
on  all  boiler  front  equipment.  There  should  be  sufficient 
direct  reading  gauges  on  the  boiler  front  for  complete  manual 
operations . 
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A.  (lMc)  Component  Specifications 


The  systems  specification  should  contain  all  individual 
component  specifications,  including  transducer/sensors, 
switches,  valve  operators,  valves,  pneumatic  devices,  etc. 

There  are  numerous  types  of  sensors  for  each  application  and 
many  manufacturers.  It  appears  that  the  current  component 
selection  orocess  is  primarily  based  on  cost  and  on  what  has 
previously  been  used.  There  is  very  little  data  to  substantiate 
whether  certain  types  of.  components  perform  better  than  others, 
or  whether  certain  ntanuf icturers  produce  superior  components. 
Apparently  the  basic  method  for  obtaining  sufficient  levels  of 
reliability  is  through  warranty  agreements  lasting  from  six 
months  to  a  year.  Most  current  literature  provided  by  component 
manufacturers  contains  little,  if  any,  environmental  data. 

Also,  very  little  maintenance  or  troubleshooting  information  is 
provided  by  these  manufacturers.  Therefore,  to  increase  the 
reliability  of  automated  control  system  components,  requirements 
need  to  be  realistically  stated.  Also,  means  must  be  provided 
to  verify  that  these  requirements  have  oeen  met. 

In  order  to  develop  realistic  requirements,  actual  boiler 
room  environments  need  to  be  determined.  There  is  considerable 
conflict  between  the  environmental  requirements  specified  by 
various  organizations  such  as  ABS  and  IEEE.  Also,  there  is 
undoubtedly  a  wide  variation  from  vessel  to  vessel.  Therefore, 
the  spectrum  of  environments  should  be  determined  through  mea¬ 
surements  on  many  ships.  The  actual  environmental  levels 
experienced  can  be  provided  to  the  suppliers  as  design  criteria. 
However,  a  military  type  environmental  qualification  program 
would  be  prohibitively  costly  and  probably  cause  most  suppliers 
to  withdraw  from  the  marine  field.  Also,  it  has  been  found  on 
military  programs  that  laboratory  testing  of  one  or  two  items 
does  not  actually  verify  that  the  component  will  perform  pro¬ 
perly  in  the  field  environment.  That  is,  the  testing  of  one  or 
two  items  in  a  laboratory  is  not  representative  of  the  actual 
population  of  parts  and  environments,  and  laboratory  results  are 
usually  better  than  those  experienced  in  the  field. 

As  previoulsy  pointed  out,  a  marine  data  system  would  pro¬ 
vide  information  concernin';  patterns  of  unreliable  part  types  or 
manufacturers.  Chronic  problems  could  be  noted  and  a  problem 
alert  systei,  such  as  used  by  Government  Industry  Data  Environ¬ 
ment  Program  (GIDEP)  could  be  augmented.  These  alerts  could  be 
circulated  throughout  the  marine  industry,  and  manufacturers  of 
substandard  components  would  very  quickly  be  identified. 

A. ( 1 ) (d  }  Test  Requirements 

The  systems  specification  should  contain  information  con¬ 
cerning  how  the  system  is  to  be  tested.  Because  of  the  high 
failure  rate  during  the  first  six  months  to  a  year,  and  the 
relative  inexperience  of  the  crew,  it  is  necessary  to  eliminate 
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as  many  premature  failures  as  possible.  This  can  be  accom¬ 
plished  as  follows: 


Card  Burn  In:  The  individual  printed  circuit  cards  should 
be  burned-in  for  a  sufficient  period  of  time.  Thermal  cycling 
and  vibration  should  be  a  part  of  the  burn-in  process  and  should 
be  performed  on  the  original  equipment  and  all  spares. 

Detailed  System  Testing:  Once  the  system  has  been  instal¬ 
led  at  tne  shipyard,  it  should  be  activated  and  detailed  systems 
testing  should  be  performed.  The  purpose  of  this  would  be  to 
eliminate  as  many  problems  caused  by  shipyard  installation  as 
possible,  and  also  to  verify  operating  and  maintenance  instruc¬ 
tions  . 

A. { 1 ) ( e )  Workmanship  Requirements 

Many  failures  experienced  during  the  lifetime  of  a  vessel 
are.  induced  by  poor  workmanship  during  manufacturing  or  during 
assembly  and  installation  at  the  shipyard.  Therefore,  the  sys¬ 
tem  specif icaton  should  contain  provisions  for  minimizing  these 
problems.  It  has  been  found  that  contamination  is  a  major  cause 
for  failure  of  valves.  Contamination  can  cause  valve  leakage, 
sticking  of  sliding  surfaces,  increased  wear,  plugging  of  small 
orifices,  scoring,  and  high  friction  forces.  In  many  cases, 
sources  of  the  contamination  is  at  vendor  or  shipyard  facili¬ 
ties.  Such  problems  could  be  reduced  significantly  if  contami¬ 
nation  provisions  were  delineated  in  the  system  specification. 

A. (l)(f)  Electrostatic  Discharge 

Electrostatic  discharge  is  a  problem  which  is  recently 
receiving  increased  attention.  RCA  indicates  that  ESD  accounts 
for  at  least  38  percent  of  the  CMOS  Semiconductor  field  fail¬ 
ures  returned  to  them  for  failure  analysis.  The  construction  of 
the  current  generation  of  integrated  ciruits  results  in  devices 
which  can  easily  be  destroyed  or  degraded  by  the  discharge  of 
static  electricity.  To  compound  the  problem,  the  effects  of  ESD 
may  produce  latent  failures  which  occur  sometime  during  the 
operational  life  of  the  device.  Military  workmanship  specifi¬ 
cations  and  ESD  control  programs  have  been  published  and  should 
be  used  as  guides  for  this  section  of  the  system  speci f ication . 
An  ESD  program  contains  the  following  provisions:  it  provides 
for  the  identification  and  classification  of  ESD  sensitive  com¬ 
ponents;  advises  that  the  contractor  and  his  suppliers  exercise 
ESD  protective  handling  procedures;  specifies  that  technical 
manuals  dealing  with  all  facets  of  maintenance  include  caution 
notices;  specifies  ESD  protective  handling  procedures;  and  pro¬ 
vides  that  all  ESD  sensitve  spares  be  adequately  packaged  in  EDS 
protective  packaging. 
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A(l) (9)  Standardization 


Very  little  standardization  exists  with  respect  to  marine 
automation  systems  because  of  variations  i ft  the  type  of  equip¬ 
ment,  and  the  variety  of  different  components  used  within  the 
systems.  Such  lack  of  standardization  creates  problems  with 
respect  to  training  individual  crew  members.  It  also  increases 
life-cycle  costs  because  of  the  increased  number  of  spares  and 
types  of  hardware  which  must  be  stocked  and  supplied.  The  sys¬ 
tem  specification  should  include  how  the  manufacturers,  owners- 
eperators,  and  shipyards  intend  to  approach  standardization. 


B.  ACCIDENT  INVESTIGATION  GUIDELINES: 

In  addition  to  the  usual  data  the  Coast  Guard  gathers  dur¬ 
ing  an  accident  investigation  (such  as  general  damage  to  the 
vessel,  operational  mode  at  the  time  of  the  accident,  time  of 
day  etc.),  DOVAP  recommends  that  the  following  questions  related 
specifically  to  the  automated  propulsion  control  system  be 
answered.  These  questions  are  general  in  nature  and  can  be 
modified  according  to  the  specific  accident  and  circumstances. 

Questions 

-  State  of  the  system  at  time  of  accident? 

-  What  automated  control  subsystems  were  contributing 
factors  to  the  accident? 

-  Status  of  those  subsystems  at  time  of  accident? 

-  If  the  accident  was  caused  by  malfunction  of  one  or 
more  propulsion  control  subsystems,  the  following 
questions  should  be  asked  to  further  define  the 
cause  of  failure; 

-  What  was  the  cause  of  the  subsystem  failure  and 
what  were  the  symptoms? 

-  Was  the  subsystem  failure  caused  by  a  faulty 
component? 

-  And  if  so,  what  is  the  class  and  type  of  the 
component? 

-  What  was  the  failure  mode  of  the  component? 

-  who  is  the  manufacturer  of  the  defective  component? 

-  Was  the  failure  mode  of  the  defective  component 
verified? 

-  Was  failure  analysis  performed  on  the  defective 
component? 

-  What  was  the  conclusion  as  to  the  cause  of  the  failure 
mode? 

-  Where  is  the  defective  component  physically  located 
now? 

-  Have  similar  problems  been  experienced  with  these 
components  in  the  past? 

-  Has  corrective  action  been  taken  to  improve  the 
component  or  obtain  a  different  manufacturer? 

-  Is  the  ccntrol  system  manufacturer  and/or  shipyard 
aware  of  the  problems  with  this  component? 
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Where  was  the  engine  room  crew  physically  located  at 
the  time  of  the  accident? 

Where  was  the  chief  engineer  at  the  time  of  the 
accident? 

What  are  the  names  of  the  crew  members  on  duty  at 
the  time  of  the  accident  and  their  classification? 

What  is  the  experience  of  the  crew  members  on  duty? 

What  is  the  training  of  the  crew  members  on  duty? 

How  long  has  this  crew  been  aboard  ship? 

Were  any  abnormalities  noted  just  prior  to  the 
accident? 

Were  any  abnormalities  noted  in  the  last  24  hours? 

Were  any  abnormalities  noted  in  the  last  six  months? 
When  was  the  last  time  the  subsystem  was  functionally 
tested 

What  was  the  extent  of  the  test? 

What  is  the  usual  frequency  for  tests? 

When  was  the  subsystem  calibrated? 

Is  there  a  preventative  maintenance  schedule  for  the 
failed  subsystem? 

When  was  the  last  time  preventative  maintenance  was  • 
performed  on  the  subsystem? 

Who  is  the  manufacturer  of  the  system  and  subsystem? 

How  many  similar  systems  are  currently  in  operation? 
What  is  the  history  of  this  type  of  problem  as  far 
as  the  manufacturer  is  concerned? 

What  is  the  history  of  this  type  of  problem  as  far 
as  other  owners/operators  are  concerned? 

Are  there  other  sources  that  are  or  should  be  aware 
of  this  problem? 

What  is  the  manufacturer's  opinion  as  to  the  cause 
of  the  problem? 

What  alarms,  lights,  or  indicators  should  have  given 
indications  of  the  problem? 

Were  the  alarms,  lights,  and  indicators  all  functioning 
properly  at  the  time  of  the  accident? 

If  there  was  sufficient  indication  of  an  impending 
problem,  what  action  was  taken? 

Why  was  the  action  not  effective? 

If  sufficient  warning  was  not  provided,  what  means 
could  have  been  provided  to  initiate  a  warning? 

Was  communication  maintained  before,  during,  and 
after  the  accident? 

What  was  the  primary  means  of  communications? 

What  was  the  back-up  means  of  communications? 
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C.  INSPECTION  AND  TEST  GUIDELINES: 


C.(l)  Steam  Vessel  Considerations 

DOVAP  feels  that  periodic  Coast  Guard  inspection  and  tests 
should  include  both  a  visual  inspection  of  the  general  condi¬ 
tions  of  the  control  systems  and  the  testing  of  specific  items. 


C.(lHa)  General  Inspections 

Control  Room.  The  control  room  should  be  checked  for 
general  cleanliness  and  indications  of  unacceptable  maintenance 
practices. 

Engineer’s  Log.  If  appropriate,  the  Engineer's  Log  should 
be  checked  to  see  if  it  is  complete  and  current;  also  problems 
since  the  last  inspection  should  be  reviewed  with  the  chief 
engineer. 

Control  Console.  Back  panels  should  be  removed  from  the 
control  console  and  t.he  following  checked: 

-  Connections;  looseness  and  corrosion. 

-  Connectors;  corrosion  and  possible  loose  ends,  frayed 
wires,  and  contamination. 

-  Printed  circuit  boards  connector;  loose  pins,  frayed 
wires,  corrosion,  and  contamination.  Check  for  jury- 
rigged  jumper  connections. 

-  Relay  contacts;  check  for  contamination,  corrosion,  and 
arcing. 

-  Filters;  check  to  ensure  that  they  are  in  place  and 
clean. 

-  Power  supplies;  check  for  signs  of  overheating  and 
moisture . 

-  Console  lights;  check  to  ensure  that  all  are  working. 

-  Control  room  horn;  check  to  ensure  that  all  horns 
are  functioning  properly. 

-  Spares  areas;  check  to  ensure  that  the  area  is  clean 
and  that  the  environment  is  adequately  controlled. 

-  Spare  printed  circuit  boards;  check  to  ensure  that  they 
are  packaged  and  stacked  so  that  they  cannot  be  damaged. 
Quantities  of  spare  printed  circuit  boards  should  be 
checked  to  determine  if  they  are  adequate. 

-  Spare  piece  parts;  check  packaging  to  ensure  that  they 
are  protected  from  the  humidity.  Check  to  determine  if 
the  quantities  appear  to  be  adequate. 

-  Limited  life  items;  conditions  of  piece  parts  that  can 
deteriorate  with  age  should  be  checked.  Agss  of  piece 
parts  should  be  marked.  Verify  procedures  for  disposing 
limited  life  -'.eras  when  their  life  has  been  exceeded, 
and  check  stock  to  ensure  that  these  items  have  in  fact 
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been  removed. 

-  Filters?  check  supply  of  filters  to  determine  if  there 
appears  to  be  an  adequate  supply. 

-  Test  equipment;  check  to  determine  if  there  are 
sufficient  types  and  quantities  to  maintain  the  vessel. 
Card  tester  should  be  checked  to  determine  if  it  has 
been  maintained  properly. 

-  Field  equipment;  check  to  determine  if  maintenance 
appears  to  be  proper.  Determine  when  the  field  com¬ 
ponents  have  been  calibrated  and  time  of  next  antici¬ 
pated  calibration. 

-  Pneumatic  actuators  and  other  devices;  check  to  deter¬ 
mine  if  the  air  supply  is  clean,  dry,  and  not 
contaminated;  check  drain  traps  to  determine  if  they 
have  been  drained  recently. 

-  Field  transducers  and  switches;  check  to  determine  if 
connections  are  adequate,  check  connections  and  body 
of  sensor  for  corrosion  or  other  evidence  of 
deterioration . 

-  Valves;  check  for  signs  of  leakage,  examine  body  for 
cracks,  leaks,  corrosion,  etc. 


C.(l)(b)  Systems  Tests 

In  addition  to  the  general  visual  inspection  of  the  control 
room  and  field  components,  specific  systems  tests  should  be 
performed.  Because  of  time  limitations,  all  possible  tests 
cannot  be  run  at  any  one  inspection.  Therefore,  a  means  should 
be  provided  so  that  the  critical  functions  can  be  tested.  A 
method  for  determining  the  items  to  be  tested  based  on  function 
criticality  and  the  frequency  of  failure  of  the  function  is 
provided  in  the  following  Table  XIII-1.  Each  of  the  factors 
(i.e.,  criticality  and  failure  frequency)  is  weighted  from  1  to 
5,  with  5  being  the  most  critical  or  the  most  frequent.  The 
total  weights  are  then  added  and  the  frequency  of  the  inspection 
based  on  the  total.  The  maximum  number  of  points  that  can  be 
assigned  is  10  and  the  minimum  2.  The  following  overall 
weighted  values  indicate  priorities  that  can  be  assigned  to  the 
checkout  of  an  automated  propulsion  system  . 

Total  Priority  Weighting: 

9,10;  Should  be  checked  each  time. 

6,7,8;  Should  be  checked  at  least  every  other  time. 

2-5;  Tested  at  random  as  time  permits. 
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Drain  Tank  observe  that  the  alarm  sounds  at  specified 

Level  Alarm  level.  Lower  atmospheric  drain  tank  water 

level  and  observe  that  the  alarm  sounds  at 
specified  level. 
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C.<2)  Diesel  Vessel  Inspection  Considerations 

As  pointed  out  in  the  fault  tree  discussions,  the  vast 
majority  of  diesel  automation  system  failures  that  can  cause  an 
undesirable  event  have  no  means  for  manual  intervention.  This 
is  also  borne  out  in  the  criticality  analysis.  This  occurs  on 
the  diesel  system  evaluated  during  this  study  for  two  reasons. 
First,  there  are  no  "pipeline  processes",  as  discussed  earlier, 
so  that  when  a  failure  occurs  it  will  "take  effect"  immediately. 
Second,  most  alarms  and  trips  are  provided  to  prevent  machinery 
damage  (for  instance,  from  low  lube  oil  pressure,  high  jacket 
water  temperature,  etc.) 

These  failure  characteristics  significantly  limit  the 
possible  approaches  for  safety  inspections.  Alarms  and  trips 
can,  and  should  be,  tested  although  in  many  cases  an  "end  to 
end"  test  will  not  ba  possible.  Such  an  "end  to  end"  test  would 
verify  proper  operation  of  all  elements  from  initiating  sensor 
to  final  audible  and  visible  alarm.  On  a  steam  vessel,  for 
instance,  such  an  end  to  end  test  on  the  drum  level  alarms  can 
be  performed  by  changing  the  drum  level.  On  a  diesel  vessel,  on 
the  other  hand,  one  would  not  want  to  lower  the  lube  oil  pres¬ 
sure,  raise  the  jacket  water  temperature,  etc.  Instead,  such 
alarms  would  have  to  be  tested  by  stimulating  the  sensor  in  some 
manner  dependent  upon  the  specific  sensor. 

From  a  safety  standpoint,  a  more  significant  type  of  in¬ 
spection  would  involve  verifying  that  all  operational  modes  were 
nc  r:- failed.  On  the  diesel  vessel  evaluated  during  this  study, 
several  operating  modes,  and  combinations  thereof,  were  provided 
(e.g.,  bridge  in  control,  engine  room  in  control;  cruise  mode, 
maneuver  mode;  one-engine  modes,  two  engine  mode.)  Some  of 
these  modes,  and  combinations  of  modes,  will  be  utilized  infre¬ 
quently,  Therefore,  failures  effecting  them  might  not  be  de¬ 
tected  until  that  particular  mode/mode  combination  is  needed. 
Such  failures  car.  include  loss  of  ability  to  go  astern,  uncom- 
manded  speed  changes,  etc.,  and  had  one  of  these  failures 
occurred,  it  would  "cake  effect"  instantaneously  when  the 
effected  operating  mode  was  selected.  r'eriodic  inspections  of 
all  operating  me  'os  and  combinations  of  modes  would  provide  some 
assurance  that  failures  would  not  go  undetected. 


D.  GUIDELINES  FOR  CREW  TRAINING  AND  EXPERIENCE  CONSIDERATIONS 


D.{I)  Training  and  Experience  Factors 

When  evaluating  training  requirements  for  crew  members  who 
operate  and  maintain  automated  propulsion  systems,  many  factors 
have  to  be  considered.  These  factors  are  interrelated  and  are 
as  follows. 

a)  Type  of  System: 

The  type  and  extent  of  the  training  has  to  be 
considered  in  terms  of  control  system  complexity 
and  the  state  of  the  art  of  the  system. 


b)  The  Level  of  Sophistication  in  Built-In  Tests: 
Increased  capability  of  the  BIT  reduces  training 
requirements  of  crew  members  in  the  areas  of 
operational  testing  and  fault  isolation.  The  level 
of  BIT  must  be  traded  off  to  determine  the  cost 
benefit  versus  the  degradation  in  reliability  due 
to  the  additional  equipment.  Also,  the  initial  cost 
of  the  additional  BIT  equipment  must  be  considered. 


c)  3etter  Availability  of  On-Shore  Personnel: 

If  on-shore  personnel  were  available  to  perform 
scheduled  and  non-scheduled  maintenance,  the  need 
for  highly  trained  crew  members  would  be  reduced. 


d)  Ability  of  Back-Up  Systems  to  Take  Over  the  Load: 

If  the  primary  systems  could  be  out  of  operation 
for  extended  periods  of  time,  with  no  hazard  to 
vessel  navigation,  the  need  for  immediate 
diagnostics  and  repairs  would  be  minimized,  thus 
also  minimizing  the  need  for  crew  members  to 
perform  these  functions. 

During  the  evaluation  cf  training  requirements,  much 
information  was  obtained  from  Log  Number  600,  entitled,  "An  As¬ 
sessment  of  Shipboard  Sensors  and  Instrumentation."  In  the 
study  reported  in  this  document,  extensive  interviews  were  con¬ 
ducted  with  owners/op^rators  of  U.S.  flag  ships,  ship  builders 
and  manufacturers  ol  automated  control  systems.  kl  o,  foreign 
owners/operators  and  manufacturers  were  interviewed.  In  addi¬ 
tion,  a  great  deal  of  information  was  obtained  during  the 
on-board  observations  of  Vessels  A  and  B,  made  by  DOVAP,  and 
frcm  the  interviews  with  the  chief  engineers.  During  this 
study,  DOVAP  was  assisted  by  two  automation  repair  firms 
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and  their  opinions  were  also  obtained  concerning  training  level 
requirements . 

One  of  the  major  problems  related  to  training  is  that  gen¬ 
erally  the  crew  does  not  understand  reliability  and  how  various 
environmental  factors  and  preventative  maintenance  affect  the 
long-term  reliability  of  the  control  system.  As  examples,  DOVAP 
personnel  observed  one  control  system  being  operated  without  the 
back  panel  on  the  control  console.  Also,  it  was  observed  that 
the  filters  had  been  removed  from  the  control  console.  It 
appears  to  DOVAP  that  by  operating  the  control  consoles  in  this 
manner,  the  crew  does  not  understand  why  the  cabinets  are  en¬ 
closed  and  the  effects  on  the  circuit  cards  of  not  keeping  them 
closed.  One  failure  mode  that  is  very  difficult  to  isolate  is 
due  to  contamination  of  printed  circuit  card  connectors.  The 
probability  of  this  failure  mode  is  increased  when  the  filters 
and/or  back  panels  are  removed. 

At  the  current  time,  the  USCG  sets  the  standards  for  both 
licensed  and  unlicensed  crew  members.  The  Coast  Guard  also 
certifies  applicants  who  have  met  the  standard  requirements  and 
passed  the  certification  test.  However,  the  certification  tests 
do  not  currently  require  knowledge  of  automated  control  systems. 
There  are  various  schools  that  offer  preparation  for  the  USCG 
certification.  Here  again,  these  schools  do  not  provide 
adequate  training  on  automated  control  systems. 

A  typical  example  of  the  experience  of  licensed  crew  mem¬ 
bers  involves  Ship  B.  The  chief  engineer  had  considerable 
experience  with  automated  control  systems  and  had  attended  var- 
ious  manufacturers-  schools.  The  first  assistant  had  35  years 
of  experience  in  all  types  of  ships  and  had  worked  on  automated 
APL  and  LNG  ships.  He  had  also  been  through  a  variety  of 
schools.  The  second  assistant  and  third  assistant  engineers 
were  both  fairly  "green"  with  limited  experience  in  automated 
propulsion  controls.  On  this  ship,  the  chief  engineer  performs 
all  troubleshooting  and  is  in  the  control  room  during  maneuver¬ 
ing  and  start-up. 

Some  owners/operators,  and  shipyard  personnel  report  that 
equipment  is  being  poorly  maintained,  and  that  this  neglect  is  a 
major  cause  of  system  malfunctions.  It  is  also  generally  felt 
that  the  systems  are  becoming  too  complex  for  one  operating 
engineer  to  understand,  and  that  improved  diagnostic  techniques 
are  needed.  Shipyards  usually  provide  training  for  new  systems 
and  some  claim  that  the  owners/operators  are  net  taking  advant¬ 
age  of  the  shipyard-offered  courses.  Shipyards  also  claim  that 
feedback  from  the  owners/operators  is  not  sufficient. 

The  need  for  a  better  data  collection  system  was  discussed 
previously,  if  chronic  problems  are  going  to  be  isolated  and 
resolved,  they  must  be  documented.  Manufacturers  and  shipyards 
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must  be  aware  of  the  problems  in  order  for  corrective  action  to 
be  taken.  The  manufacturers  generally  provide  in-plant  training 
and  documentation  and  also  have  personnel  aboard  during  sea 
trials  to  train  the  crew  and  perform  final  check-out  of  the 
system.  Training  is  the  most  critical  during  the  first  year  of 
vessel  operation.  During  this  time,  the  new  system  being  put 
into  service  will  contain  many  manufacturing  and  shipyard 
induced  problems.  The  failure  rates  will  be  anywhere  from  three 
to  eleven  times  higher  than  during  normal  steady  state  opera¬ 
tions.  Also,  during  this  time,  a  relatively  "green"  crew  will 
be  taking  over  the  system,  trying  to  isolate  failures  as  they 
occur  and  also  become  familiar  with  the  system. 

Most  owners/operators  report  that  union  training  programs 
do  not  provide  the  type  of  training  needed  for  maintaining  auto¬ 
mated  control  systems.  Also,  there  is  no  set  schedule  for 
upgrading  personnel  capabilities.  One  important  factor  that 
must  be  considered  when  specifying  new  control  systems  is  that 
the  design  of  the  system  should  not  be  limited  to  the  current 
capabilities  and  skill  levels  of  crew  members.  There  is  a  ten¬ 
dency  for  some  owners/operators  to  remain  with  pneumatic  con¬ 
trols  even  though  electronic  systems  are  probably  more  reliable 
and  require  less  maintenance.  Part  of  the  basis  for  this 
selection  is  that  the  crew  generally  understands  pneumatics, 
whereas  electronics,  in  most  cases,  is  foreign  to  their  current 
capabilities. 


d. (2)  Automation  Personnel 

Training  can  generally  be  broken  down  into  three  categor¬ 
ies,  that  is,  { 1 }  unlicensed  crew  members,  (2)  licensed  crew 
members,  and  (3)  shoreside  personnel.  The  availability  and 
capabiity  of  the  three  are  interactive,  and  training  levels  of 
one  affect  the  required  levels  of  other  groups. 

The  following  are  DOVAP’s  recommendations  for  the  three 
levels  of  capabilities.  However,  these  recommendations  must  be 
modified  based  on  the  operational  scenario,  type  of  diagnostics 
available,  type  of  equipment,  adequacy  of  manuals  and  other 
documentations,  and  size  of  the  operator's  fleet. 

AUTOMATION  ENGINEER  SPECIALIST: 

It  would  be  desirable  to  have  one  permanent  engineer  on¬ 
board  at  all  times  who  has  been  especially  trained  for  trou¬ 
bleshooting,  servicing,  and  maintaining  the  automated  control 
system.  He  would  be  on  hand  for  all  critical  maintenance 
actions  and  troubleshooting.  He  should  have  attended  the  manu¬ 
facturer’s  training  school.  It  would  be  helpful  if  he  attended 
training  sessions  or  had  been  cn-board  during  sea  trials.  He 
should  us ve  a  background  in  the  technoloy  used  to  implement  the 
system  (e.g.  electronics). 
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OTHER  AUTOMATION  SV STEM  CREW  MEMBERS: 

The  other  crew  members  should  have  had  training  in  general 
types  of  control  systems.  Because  of  frequent  switching  from 
vessel  to  vessel,  it  is  not  practical  to  train  all  of  the  crew 
members  in  specific  systems.  As  pointed  out  previously,  crew 
members  would  be  indoctrinated  into  the  fundamentals  of  reli¬ 
ability  and  environmental  effects  on  certain  components. 

Training  of  these  crew  members  should  be  such  that  they  are 
familiar  with  circuit  logic  and  circuit  schematics.  The  func¬ 
tion  of  these  crew  members  should  be  limited  to  routine  opera¬ 
tion  of  the  control  systems  and  in  assisting  the  automation 
specialist  in  the  isolation  of  problem  areas  and  during  calibra¬ 
tion  of  the  system. 

When  a  malfunction  on-board  occurs,  the  immediate  problem 
is  to  restore  the  system  to  normal  operation  or  a  satisfactory 
level  of  reduced  performance.  This  usually  entails  the  activa¬ 
tion  of  one  or  more  back-up  systems.  Because  there  is  always  a 
possibility  of  the  back-up  system  not  functioning  properly  or 
eventually  failing,  it  is  desirable  to  troubleshoot  the  original 
system  and  repair  it  as  soon  as  possible.  In  addition  to 
training,  various  aids  could  assist  in  the  isolation  of  failures 
and  expedite  restoration  of  the  system  to  the  proper  performance 
levels.  As  mentioned  before,  upgraded  maintenance  manuals  and 
diagnostic  procedures  would  assist  in  the  isolation  of  problems. 
Also,  computer-aided  diagnostic  routines  would  greatly  facili¬ 
tate  the  isolation  of  problems,  especially  in  digital  circuitry. 
Small  mini -computers  could  be  located  in  the  control  room  with 
software  routines  for  diagnostics  of  specific  problems.  The 
software  logic  would  determine  checkpoints  and  the  most  direct 
route  for  isolating  problem  areas.  As  previously  discussed,  the 
Ship  B  burner  master  module  contains  42  digital  circuit  cards. 

If  a  fault  occurred  in  this  digital  system  and  the  engineer 
tried  to  fault  isolate  by  randomly  replacing  cards,  restoration 
of  the  system  could  be  a  very  time-consuming  task. 

SHORESIDE  PERSONNEL: 

Shoreside  personnel  fall  into  three  categories:  (1)  manu¬ 
facturer's  representatives;  (2)  highly  skilled  automation  system 
repair  independent  service  companies;  (3)  on-shore  pools  of 
personnel  maintained  by  large  shipping  companies.  Most  owners- 
operators  utilize  the  service  of  on-shore  personnel  for  more 
complex  problems.  The  biggest  problem  is  the  availability  of 
these  people  when  needed,  and  the  turn-around  time  for  restoring 
the  equipment  to  normal  status.  On-shore  personnel  are  also 
utilized  for  system  calibration,  a  very  time-consuming  task 
which  is  usually  required  from  every  six  months  to  every  twelve 
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months.  Some  vessels  with  complex  control  systems  utilize 
on-shore  personnel  on  the  average  of  once  a  month.  The  training 
of  the  on-shore  personnel  does  net  fall  within  the  realm  of 
training  requirements?  however,  the  availability  and  capability 
of  these  people  must  be  kept  in  mind  when  considering  training 
requirements  for  on-board  crew  members. 


D.(3)  Additional  Comments 

As  discussed  above,  training  requirements  can  be  reduced 
through  the  provision  of  built-in  test  (BIT)  and  on-board  cir¬ 
cuit  card  testers.  .  However,  there  will  likely  be  control  system 
areas  that  such  test  provisions  will  not  cover.  A  major  area 
would  be  relays  that  are  not  mounted  on  printed  circuit  cards, 
and  are  therefore  not  testable  via  the  card  tester.  On  Ship  A, 
such  non-card  mounted  relays  are  used  extensively  for  feedwater 
control  and  burner  demand  sequencing.  Failure  of  such  relays 
would  be  extremely  difficult  to  troubleshoot  without  some  type 
of  signal  tracing  and  knowledge  of  what  the  signals  were  sup¬ 
posed  “to  be  doing." 

When  control  systems  include  such  areas,  it  would  be  de¬ 
sirable  for  at  least  one  crew  member  to  be  trained  in  the  use  of 
wiring  diagrams  for  signal  tracing,  and  in  the  use  of  appro¬ 
priate  signal  tracing  instruments.  In  some  cases,  signal 
tracing  could  be  accomplished  with  a  multimeter,  but  more  likely 
an  oscilloscope  would  be  required. 
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XIV.  CONCLUSIONS  AND  RECOMMENDATIONS 


During  the  Task  I  literature  review,  a  wide  variety  of 
topics  related  to  automated  propulsion  systems  were  reviewed. 
Generally  the  discussions  in  the  literature  were  of  a  qualita¬ 
tive  nature.  Some  quantitative  data  was  given,  but  in  many 
cases  the  basis  for  the  data  was  not  fully  explained.  The  gen¬ 
eral  conclusions  reached  from  the  literature  reviews  are  as 
follows : 

a)  The  reliability  of  commercial  vessel  automated 
propulsion  systems  needs  improvements; 

b)  No  formal  reliability  efforts  related  to  design  are 
currently  applied  by  United  States  manuf acturers; 

c)  When  discussing  individual  problem  areas,  most 
papers  state  that  sensors  are  problems  but  give  no 
positive  suggestions  for  improvement; 

d)  Component  are  selected  primarily  on  the 
basis  of  cost,  unless  component  provisions  are 
specifically  stated  in  the  design  criteria; 

e)  It  is  generally  agreed  that  automated  propulsion 
systems  for  commercial  vessels  should  be  better 
supported  with  improved  training,  improved  manuals 
and  documentation,  and  better  spares  and 
preventative  maintenance  programs; 

f)  Standard  environmental  criteria  needs  to  be  defined 
and ; 

g)  A  commercial  vessel  failure  data  system  needs  to  be 
established. 

In  reviewing  ail  literature  sources,  certain  subjects  were 
conspicuous  by  their  absence.  These  are; 

a)  No  formal  reliability  evaluations  of  commercial 
vessel  systems  were  reported; 

b)  No  cost  effectiveness  studies  of  current  propulsion 
systems  were  reported. 

The  general  theme  reflected  in  all  of  the  documentation  is 
that  there  is  a  need  to  improve  the  reliability  of  current  au¬ 
tomated  propulsion  systems.  However,  few  facts  were  given  to 
support  these  conclusions,  and  in  most  cases,  means  for  accom¬ 
plishing  these  were  vague  or  not  discussed  at  all.  In  reviewing 
these  papers,  DOVAP  noted  that  the  authors  had  a  tendency  to 
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imply  that  either  the  equipment  was  not  specified  correctly,  or 
that  it  was  not  supported  correctly  once  it  became  operational. 
Manufacturers  tended  to  claim  that  the  shipyard  environment 
degraded  the  equipment,  and  again  that  it  was  not  supported 
correctly  when  it  became  operational.  It  is  apparent  from  re¬ 
viewing  this  literature  and  from  discussions  with  manufacturers, 
owners/operators,  and  shipyard  engineering  personnel,  that  a 
means  is  needed  to  get  all  involved  to  work,  together  in  order  to 
design,  install,  and  operate  systems  in  a  manner  that  will  en¬ 
sure  adequate  reliability. 

The  major  part  of  Task  II  consisted  of  a  reliability  anal¬ 
ysis  of  three  typical  vessels.  These  included  two  steam  ves¬ 
sels,  designated  Ship  A  and  Ship  B,  and  one  diesel,  designated 
Ship  C.  The  reliability  analysis  included  a)  reliability  pre¬ 
dictions,  b)  failure  modes  and  effects  analyses  (FMEA),  c)  cri¬ 
tical  it  y  analyses,  and  d)  fault  tree  analyses.  While  all  four 
of  these  analyses  fall  under  the  general  category  of  reliability 
and  safety  analysis,  they  are  basically  different  and  produce 
different  results.  However,  all  of  the  analyses  are  interre¬ 
lated,  and  some  provide  inputs  to  the  other  analyses.  As  an 
example,  the  basis  for  all  of  the  analyses  consists  of  the  basic 
failure  rates.  For  the  failure  rate  predictions,  five  categor¬ 
ies  of  rates  were  generated,  namely: 

a)  Basic  Failure  Rates;  The  basic  rates  are  for  a  ship- 
sheltered  environment  { i.e.,  on  a  ship  but  not  on  deck),  and  an 
ambient  temperature  of  35  degrees  C,  and  are  based  on  the  use  of 
commercial  grade  parts,  the  steady  state  period  of  the  opera¬ 
tional  life  of  the  vessel,  and  on  no  scheduled  or  preventative 
maintenance. 

b)  Temperature  Effect  Failure  Rates;  This  failure  rate  is 
for  all  of  the  same  conditions  as  for  basic  failure  rates  except 
that  the  temperature  is  changed  from  35  to  50  degrees  C. 

c)  Failure  Rates  For  Improved  Quality  Levels;  These  failure 
rates  are  the  result  of  changing  the  part  quality  levels  from 
commercial  grade  to  the  lower  military  grade  parts. 

d)  Premature  Failure  Rates;  These  convert  the  failure  rates 
for  the  steady  state  period  to  those  of  the  infant  mortality,  or 
premature  period.  This  premature  period  usually  lasts  from  ini¬ 
tial  system  operation  through  approximately  the  first  six  months 
of  system  life. 

e)  Failure  Rates  For  Maintenance  Improvements;  These  fail¬ 
ure  rates  reflect  the  improvement  in  the  basic  failure  rate 
occurring  from  a  comprehensive  preventative  maintenance  program. 
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The  Failure  Mode  and  Effects  Analysis  (FMEA)  utilizes  the 
basic  part  failure  rates.  These  failure  rates  are  subdivided  to 
cover  the  failure  modes  for  specific  parts,  and  the  modes  are 
then  evaluated  to  determine  the  effect  of  the  failure  on  the 
next  higher  assembly  and  the  subsystem.  The  FMEA  did  not  con¬ 
sider  system  criticality  or  redundancy,  nor  the  effects  of  any 
of  the  adjustment  factors. 

The  criticality  analysis  utilized  the  results  of  the  FMEA 
to  determine  the  consequence  of  each  failure.  The  end  effects 
were  estimated  based  on  the  most  probable  series  of  events.  The 
criticality  analysis  also  evaluated  the  effect  of  the  four 
factors. 

The  Fault  Tree  analysis  provides  the  most  precise  estimate 
of  any  undesired  condition.  It  is  a  probabilistic  analysis,  and 
depicts  all  events  that  could  contribute  to  undesirable  events. 
3ecause  of  the  complexity  of  this  analysis,  usually  only  a  few 
top  undesirable  events  are  selected  and  analyzed.  It  would  not 
be  economically  feasible  to  evaluate  the  probabilities  of  all 
events. 


A.  RESULTS  OF  PREDICTIONS. 


The  overall  basic  failure  rate  predictions  for  the  three 
ships  are  as  follows: 


Mean  Time 

Basic  Failure  Rate  Between  Failure 

Ship  A 
Ship  B 
Ship  C 


.007988 

.003622 

.001015 


125.2  hours 
276.1  hours 
984.9  hours 


As  previously  discussed,  the  basic  failure  rate  is  that  which 
would  be  experienced  with  no  scheduled  or  preventative  main¬ 
tenance.  That  is,  each  component  is  allowed  to  degrade  until  it 
eventually  becomes  a  functional  failure.  However,  even  if  the 
component  does  degrade  until  it  becomes  a  functional  failure, 
the  failure  may  not  have  a  critical  effect  on  the  system.  Ex¬ 
amples  of  such  failures  are  those  which  cause  loss  of  alarms  or 
backup  equipment. 

The  highest  predicted  failure  rate  for  the  three  systems 
evaluated  is  for  Ship  A,  whicn  averages  approximately  5.8  pre¬ 
dicted  failures  per  month.  The  principal  reason  for  the  dif¬ 
ference  between  the  two  steam  vessels  is  that  Ship  A’s  automated 
propulsion  system  is  more  complex  than  Ship  B's.  Ship  A,  also, 
has  three  burners  per  boiler,  while  Ship  B  has  two.  Ship  A, 
also,  has  provisions  for  a ucomatically  sequencing  the  burners  on 
and  off.  Also,  Ship  A  contains  a  great  deal  of  pneumatic 
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equipment  which  has  a  relatively  high  failure  rate.  Ship  C  is 
the  diesel  vessel  and  its  control  system  is  not  comparable  to 
those  of  the  steam  systems,  which  are  much  more  complicated. 

It  is  predicted  that  Ship  B  will  average  approximately  2.6 
failures  per  month. 

As  previously  discussed,  the  failure  rates  can  be  reduced 
by  approximately  50  percent  through  a  comprehensive  preventative 
maintenance  program.  If  this  were  instituted  and  the  basic 
failure  rates  were  reduced  by  half,  the  expected  number  of 
failures  per  month  for  Ship  B  would  then  be  1.3.  This  predic¬ 
tion  of  1.3  failures  per  month  is  close  to  the  1.6  failures  per 
month  derived  from  the  Navy  3M  data  system  for  the  actual 
occurrence  of  Navy  propulsion  system  failures.  This  gives  a 
good  substantiation  for  the  predicted  values,  since  the  Navy 
does  have  comprehensive  preventative  maintenance  programs. 

As  previously  indicated,  these  failure  rates  can  be  ad¬ 
justed  either  upwards  or  downwards  by  the  various  factors.  For 
instance,  increasing  the  temperature  increases  the  failure  rates 
by  approximately  22  percent;  quality  improvements  through  the 
use  of  military  grade  parts  decreases  the  failure  rates  by  53 
percent;  shifting  from  the  steady  state  to  the  premature  opera¬ 
tional  phase  increases  the  failure  rates  by  a  magnitude  of  6. 

Some  quantitative  data  obtained  during  Task  I  provides 
comparative  frequencies.  As  an  example,  one  report  summarizes 
findings  concerning  the  frequency  of  alarms  from  20  ship-years 
of  accumulated  history.  This  paper  reports  that  on  average, 
turbine  tankers  experienced  3.5  alarms  per  month.  This  Is 
relatively  close  to  the  2.6  failures  that  are  predicted  for  Ship 
B,  although  failures  cannot  be  directly  compared  to  alarms.  The 
number  of  failures  should  be  somewhat  less  than  the  number  of 
alarms  because  some  alarms  result  from  components’  parameters 
drifting  or  calibration  problems,  and  only  require  adjustment. 


B.  FAILURE  MODES  AND  EFFECTS  ANALYSIS. 


The  FMEAs  revealed  conditions  that  are  contrary  to  good 
reliability  practices.  Some  of  these  are  as  follows: 

a)  Excessive  use  of  components; 

b)  Use  of  a  single  sensor  for  both  an  alarm  and  a  function 
signal  used  in  the  control  logic; 

c)  Extensive  use  of  low  quality  grade  components; 

d)  Lack  of  electro-static  discharge  protection; 
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e)  Use  of  Logic  conf igurations  that  introduce  either 
undesirable  failure  modes,  per  se,  or  an  increased 
number  of  undesirable  failure  modes. 

Specific  situations  illustrating  the  above  situations  are  dis¬ 
cussed  in  a  "case  history"  format  in  Section  X. 

C.  CRITICALITY  ANALYSIS. 


In  order  to  evaluate  the  criticality  associated  with  each 
failure  mode,  a  criticality  analysis  was  performed.  Due  to  the 
complexity  of  the  analysis  and  the  fact  that  the  basic  results 
were  the  same  for  Ships  A  and  B,  only  Ship  B  was  analyzed  quan¬ 
titatively.  The  total  predicted  failure  rate  for  Ship  B,  using 
the  basic  rates,  was  0.003627  failures  per  hour,  or  a  mean  time 
between  a  failure  of  276.1  hours.  Using  a  normal  cruising  time 
of  710  hours,  the  expected  number  of  failures  per  normal  cruise 
is  2.57.  Figure  XIV-1  is  a  criticality  analysis  printout  which 
shows  the  distribution  of  the  2.57  failures  arranged  in  order  of 
mission  criticality.  These  are  expected  frequencies  for  normal 
cruising . 

During  the  normal  cruising  period,  permanent  damage  to 
either  the  boiler  or  turbine  is  ranked  first  in  terms  of  criti¬ 
cality,  and  temporarily  reduced  RPMs  is  third.  The  most  fre¬ 
quent  mission  effect  is  small  performance  degradation,  which 
accounts  for  23  percent  of  the  total  failures.  Twenty- three 
percent  of  the  expected  total  number  of  failures  per  cruise 
results  in  an  average  of  0.6  times  per  cruise  when  a  failure 
would  cause  a  small  performance  degradation.  Because  "small 
performance  degradation"  is  rather  inconsequential  during  nor¬ 
mal  cruising,  the  mission  loss  probability  is  computed  as  0.1. 
Therefore,  even  though  the  classification  of  the  mission  effect 
of  “small  performance  degradation"  is  highest  by  frequency, 
because  of  the  low  mission  loss  probability  it  is  ranked  5th  in 
terms  of  it's  contribution  to  mission  criticality. 

The  number  one  ranked  mission  effect,  possible  boiler  or 
turbine  damage,  accounts  for  a  probability  of  0.48,  with  a  per¬ 
centage  contribution  to  the  total  criticality  of  35  percent. 

This  mission  effect  has  to  be  discounted  to  some  extent  however. 
The  possible  boiler  damage  is  due  to  either  possible  steam  or 
combustion  explosions,  and  turbine  damage  is  due  to  such  pos¬ 
sible  problems  as  high  drum  level  or  wet  steam.  This  mission 
effect  is  nebulous  because  the  true  probabilities  of  occurrences 
are  influenced  by  factors  external  to  the  propulsion  control 
system,  and  usually  damage  is  not  instantaneous.  Turbine  damage 
usually  results  from  the  effects  of  repetitive  failures  over 
time,  or  from  one  condition  being  allowed  to  exist  too  long. 
These  cumulative  types  of  damage  factors  could  not  be  evaluated 
during  this  analysis. 
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Therefore,  discounting  the  number  one  mission  effect,  the 
remaining  top  three  mission  effects  account  for  24.7  percent  of 
the  expected  failure  rate  for  normal  cruising.  This  amounts  to 
a  failure  rate  of  0.63  for  the  remaining  top  three  events,  or 
mean  time  between  occurrence  of  1120  hours.  This  is  equivalent 
to  a  relatively  serious  problem  occurring  on  average  7.6  times 
a  year  during  normal  cruising.  The  expected  frequency  of  tem¬ 
porarily  reduced  RPMs,  the  number  three  ranked  mission  effect, 
is  0.29  per  cruise.  This  gives  an  expected  rate  per  year  of 
3.4.  This  compares  almost  exactly  to  one  report  reviewed  during 
Task  I  which  documents  41  ship-years  of  history  and  reports  a 
slowdown  rate  of  3.3  per  ship- year. 


D.  FAULT  TREE  ANALYSIS. 


Of  the  four  analysis  techniques,  the  Fault  Trees  are  the 
most  precise.  The  failure  mode  probabilities  were  based  on  the 
exponential  distribution  and  are  computed  for  one  cruise  of 
one-month  duration.  Each  probability  of  occurrence  was  computed 
twice,  once  with  the  probability  of  manual  intervention  being 
effective  90  percent  of  the  time  (or,  noneffective  10  percent  of 
the  time),  and  once  with  no  manual  intervention.  Noneffective 
manual  intervention  could  be  due  to  an  alarm  failure,  incorrect 
action  taken  by  the  crew,  action  not  tamely  enough  to  prevent 
problems,  etc.  The  probability  of  alarm  failure  is  relatively 
small,  in  most  cases  less  than  5  failures  per  one-million  hours. 
This  probability  can  also  be  significantly  reduced  by  periodic 
testing  of  alarms.  The  probabilities  do  not  take  into  account 
such  backups  to  alarms  as  indicators,  lights,  and  otner  gages. 

In  calculating  the  probabilities  of  the  top  level  undesir¬ 
able  events,  all  possibilities  had  to  be  considered.  Exami¬ 
nation  of  some  of  the  branches  of  a  fault  tree  will  indicate 
relatively  high  probabilities  of  occurrences  at  the  bottom  of 
the  tree.  However,  due  to  "AND"  logic  where  two  or  more  events 
must  occur  for  the  upper  event  to  occur,  some  of  the 
probabilities  become  insignificant. 


Table  XIV-1  summarizes  some  of  the  probabilities  of  the  top 
level  undesirable  events  for  the  two  steam  systems,  and  gives 
the  probabilities  with  manual  intervention  being  90  percent  ef¬ 
fective  (or  10  percent  noneffective)  and  with  no  manual  inter¬ 
vention.  One  of  the  top  undesirable  events  is  unscheduled 
turbine  shutdown.  The  probability  that  Ship  A  will  experience 
an  unscheduled  turbine  shutdown  when  manual  intervention  is  90 
percent  effective  during  a  cruise  is  0.1584;  this  probability 

jiujj  u.  iwOj.  uuo  amu  vju  *  u  o  uo  a  oAx<ua  u  c:  j.  y  ±  .  ?  ouwu 

shutdowns  per  year  for  Ship  A  and  1.27  for  Ship  B.  As  expected, 
the  probabilities  increase  significantly  with  no  manual  inter¬ 
vention;  for  Ship  A  the  probability  increases  to  0.5186  and  for 
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Ship  B  to  0.2861. 

The  1.9  and  1.27  predicted  stoppages  at  sea  compares 
closely  with  information  given  in  a  paper  that  documents  the 
history  of  29  tankers.  This  paper  reports  an  average  stoppage 
at  sea  rate  of  one  per  ship  per  year.  The  results  of  the  DOVAP 
study  are  slightly  on  the  pessimistic  side,  mainly  because  it 
was  necessary  to  estimate  the  frequencies  of  certain  occurrences 
outside  of  the  automated  propulsion  system  itseif.  In  some 
cases,  it  was  assumed  that  such  occurrences  had  either  a  hundred 
percent  or  a  very  high  probability  of  occurrence.  The  subevents 
under  unscheduled  turbine  shutdown  in  Table  XIV-1  are  given  to 
show  some  of  the  relative  probabilities;  it  should  be  noted, 
however,  that  these  are  not  additive.  As  an  example,  both 
boilers  must  fail  in  order  for  an  unscheduled  turbine  shutdown 
to  occur.  The  frequency  of  boiler  trips  for  Ship  B  is  predicted 
to  be  0.54  per  year.  As  a  comparison  to  actual  historical  data, 
one  report  which  was  reviewed  during  Task  I  reported  0.45  trips 
per  year  based  upon  62  ship-years  of  history. 

The  probability  of  explosion,  either  combustion  or  steam, 
is  0.0181  for  Ship  A  and  0.0189  for  Ship  B.  This  amounts  to  an 
estimated  mean  time  between  explosions  of  39,000  hours  for  Ship 
A  and  37,000  for  Ship  B.  As  a  comparison,  it  was  estimated  from 
two  sources  of  historical  data  that  explosions  occur  once  every 
36,000  hours  in  steam  systems.  Therefore,  the  estimates  for 
Ship  A  and  Ship  8  are  relatively  close  to  the  data  reported  from 
historical  analysis. 

The  probability  of  a  single  boiler  trip  is  substantially 
higher  for  Ship  A  than  Ship  B.  This  is  to  be  expected  because 
Ship  A  is  more  complex  and  also  utilizes  a  considerable  amount 
of  pneumatics  which  have  higher  failure  rates  than  electronics. 
The  total  effect  on  the  unscheduled  turbine  shutdown  proba¬ 
bility,  however,  is  not  that  significant  since  the  probability 
that  both  boilers  are  down  simultaneously  reduces  the  differ¬ 
ence.  Turbine  damage  was  not  included  in  unscheduled  turbine 
shutdown.  This  is  because,  as  previously  explained,  turbine 
damage  calculations  are  nebulous. 

The  top  undesirable  event  of  loss  of  speed/directional 
control  becomes  very  inconsequential.  As  can  be  seen,  the 
probability  of  loss  of  the  primary  throttle  control  mode,  with  a 
probability  of  0.1682  per  cruise,  is  relatively  high.  However, 
double  redundancy  is  provided  by  the  hand  pump  and  the  hand 
wheels,  so  probability  of  losing  all  control  modes  becomes  ex¬ 
tremely  small. 

The  top  event  for  the  diesel  system  fault  tree  is  "vessel 
does  not  respond  as  commanded  due  to  engine  room  automation 
faults."  Tne  probability  of  this  top  event  is  0.072,  or  roughly 
0.9  occurrences  per  year. 
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£.  OVERALL  CONCLUSIONS  AND  RECOMMENDATIONS. 


3ased  on  the  values  predicted  by  DOVAP  and  the  data  from 
the  literature  search,  it  is  felt  that  the  automated  propulsion 
systems  analyzed  during  this  study  have  acceptable  levels  of 
reliability.  However,  it  must  be  noted  that  this  applies  to  the 
conditions  considered  during  the  study  analyses.  If  a  specific 
vessel  spends  a  great  deal  of  time  maneuvering  and  in  close 
quarters,  the  reliability  of  the  propulsion  automation  system 
must  be  substantially  higher.  With  the  current  level  of  tech¬ 
nology,  reliability  of  commerical  vessel  automated  propulsion 
systems  could  be  magnitudes  higher.  Such  higher  levels  of  re¬ 
liabilities  have  been  achieved  in  the  aerospace  industry.  How¬ 
ever,  any  increase  in  reliability  also  entails  an  increase  in 
cost.  Also,  it  should  be  noted  that  there  is  not  a  one  to  one 
ratio  between . improvements  in  reliability  and  relative  increases 
in  cost.  As  increasingly  higher  levels  of  reliability  are 
sought,  the  ratio  of  cost  to  reliability  increases.  It  should 
additionally  be  noted  that  increased  reliability  does  not 
necessarily  decrease  maintenance  costs.  On  the  contrary,  in¬ 
creased  reliability  often  results  in  increased  complexity  which 
can  have  the  net  effect  of  increasing  maintenance  costs.  Again, 
in  the  military  environment,  equipment  currently  in  use  displays 
magnitudes  higher  achieved  reliability  levels  as  compared  to 
commercial  automation  propulsion  systems.  The  military  are  also 
consuming  a  large  percentage  of  their  total  budget  in 
maintaining  these  systems. 

Section  X,  Reliability  Design  and  Performance  Criteria, 
discusses  ways  in  which  the  reliability  of  commerical  vessel 
automated  propulsion  systems  can  be  increased.  Most  of  these 
suggestions  will  increase  the  cost  of  the  propulsion  systems. 

As  an  example,  changing  from  commercial  quality  grade  electronic 
components  to  the  higher  quality  level  grades  would  substan¬ 
tially  increase  both  reliability  and  costs.  Therefore,  in  order 
to  design,  install,  and  support  any  new  automated  propulsion 
system,  all  requirements  of  proposed  systems  should  be  prede¬ 
fined  and  cost  trade-off,s  considered.  DOVAP  recommends  that  a 
system  specification  be  generated  jointly  by  the  control  system 
manufacturer,  the  shipyard/  and  the  owner/operator.  The  system 
specification  should  provide  the  desired  levels  of  reliability 
for  critical  functions,  and  specify  how  the  desired  levels  are 
to  be  achieved.  The  system  specification  should  also  define  how 
the  system  is  to  be  supported  during  its  operational  life. 

During  support  considerations,  trade-off  evaluations  should 
include  the  pros  and  cons  of  Built-In  Test  (BIT)  versus  manual 
test  and  fault  isolation. 

In  the  area  of  support  for  operational  equipment,  the  sys¬ 
tem  specification  should  specify  the  levels  of  training  required 
for  the  various  crew  members.  DOVAP  suggests  that  at  least  one 
member  of  the  crew  be  trained  as  a  propulsion  system  control 
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specialist.  This  member  need  not  be  the  chief  engineer,  bat  the 
chief  should  be  on  hand  daring  critical  maneuvering  operations. 
He  also  should  be  the  principal  investigator  in  the  trouble 
shooting  and  corrective  action  of  the  automated  propulsion  sys¬ 
tem.  Also,  required  levels  of  manning  for  the  control  room 
should  be  specified  in  the  system  specification.  If  periods  of 
unmanned  engine  room  operation  are  planned,  alarm  provisions 
should  be  adequate,  and  certain  critical  alarms  should  be  re¬ 
dundant.  The  systems  specif ication  should  also  delineate  how 
the  system  is  to  be  manned  during  the  first  6  months  when  fail¬ 
ure  rates  could  be  up  to  six  times  greater  than  during  the 
steady  state  period  of  the  operational  life.  Additionally,  the 
system  specification  should  contain  provisions  for  minimizing 
this  period  through  workmanship  requirements  to  reduce  manufac¬ 
turing  induced  problems.  It  should  contain  details  on  the  tests 
to  be  conducted  during  sea  trials,  and  specify  the  training  of 
the  crew  that  will  be  necessary  prior  to  sea  trials.  The  systems 
specifications  should  also  describe  in  detail  the  preventative 
maintenance  plan  that  will  be  applied  during  the  operational 
life  of  the  system,  including  how  components  which  are  subject 
to  degradation  or  wearout  are  to  be  periodically  replaced  or 
overhauled. 

DOVAP ' s  last  recommedation  is  that  a  data  system  for  the 
collection  of  failure  related  information  be  established. 
Throughout  the  entire  study,  it  was  obvious  that  many  cf  the 
opinions  expressed  in  the  literature  and  in  personal  contact 
were  based  on  observations  that  can  easily  be  influenced  by 
recent  occurrences  or  by  emotional  factors.  In  order  to  reduce 
such  subjective  biases,  and  provide  objective  means  for  evalu¬ 
ating  reliability  and  costs,  component  failure  rates,  main¬ 
tenance  requirements  and  approaches,  and  other 

reliabilty-related  factors,  a  historical  data  base  is  very  much 
needed . 


